Vraag & Antwoord

Beveiliging & privacy

Trojan Vundo en Trojan Duntek

Anoniem
None
15 antwoorden
 • Zijn er nog problemen?
 • Ik heb al enige tijd last van ongewenste popups in mijn computer, vrijwel alleen bij explorer (ik gebruik voornamelijk firefox).
  Norton antivirus gaf melding van trojan.vundo en trojan.duntek

  In andere topics zag ik wat de eerste stappen zijn om trojan.vundo te verhelpen, waarbij de gebruikers werd gevraagd logs te plaatsen.

  Ik heb zojuist vundofix en hijachthis laten lopen en heb daar de logs van. Ik hoop dat iemand hier me nu verder kan helpen.

  Tevens hoop ik dat er iemand is die weet wat ik het beste aan trojan.duntek kan doen.
  Virusscan van Norton en scan van Hitman Pro hebben nog niks uitgehaald.
  De logs:
  [b:887f884e95]VundoFix V6.5.7[/b:887f884e95]

  Checking Java version…

  Java version is 1.5.0.2
  Old versions of java are exploitable and should be removed.

  Scan started at 23:57:37 26-8-2007

  Listing files found while scanning….

  C:\windows\system32\comsam.dll
  C:\WINDOWS\system32\tmp13D.tmp.dll
  C:\WINDOWS\system32\tmp3.tmp.dll
  C:\WINDOWS\system32\tmp4.tmp.dll

  Beginning removal…

  Attempting to delete C:\windows\system32\comsam.dll
  C:\windows\system32\comsam.dll Has been deleted!

  Attempting to delete C:\WINDOWS\system32\tmp13D.tmp.dll
  C:\WINDOWS\system32\tmp13D.tmp.dll Has been deleted!

  Attempting to delete C:\WINDOWS\system32\tmp3.tmp.dll
  C:\WINDOWS\system32\tmp3.tmp.dll Has been deleted!

  Attempting to delete C:\WINDOWS\system32\tmp4.tmp.dll
  C:\WINDOWS\system32\tmp4.tmp.dll Has been deleted!

  Performing Repairs to the registry.
  Done!

  [b:887f884e95]Logfile of Trend Micro HijackThis v2.0.2[/b:887f884e95]
  Scan saved at 0:04:09, on 27-8-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
  C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\system32\drivers\CDAC11BA.EXE
  C:\Program Files\Norton AntiVirus\navapsvc.exe
  C:\Program Files\Eset\nod32krn.exe
  C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
  C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  C:\Program Files\MSN Messenger\msnmsgr.exe
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
  C:\WINDOWS\system32\wuauclt.exe
  C:\WINDOWS\system32\NOTEPAD.EXE
  C:\Program Files\Messenger\msmsgs.exe
  C:\HJT\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
  O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
  O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
  O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
  O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
  O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
  O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
  O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
  O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
  O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
  O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
  O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
  O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
  O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
  O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
  O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
  O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
  O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
  O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


  End of file - 8959 bytes
  Alvast bedankt!
 • Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  Plaats het op je bureaublad.
  Dubbelklik er op om het programma te starten.
  In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
  Volg de instructies op het scherm.
  Als het tooltje klaar is, opent er een logfile (combofix.txt).
  Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
 • Ik krijg een 404melding voor die pagina..
  Misschien zit er een spelfout in de url?

  edit: Ik heb even gegoogled en merk dat de url wel klopt, het bestand is blijkbaar verwijderd..
  Ik kan zelf geen andere online vinden, misschien dat jij weet waar ik het bestand kan downloaden?
 • neem deze: http://www.techsupportforum.com/sectools/combofix.exe
 • je was me al voor :)

  Ik heb dat bestand gedownload, ik krijg dan een tekstbestand met de volgende melding:

  [quote:e7b9c8b3c4]You have used an invalid url to download ComboFix.exe. Please be advised that these are the correct links to use

  http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  [/quote:e7b9c8b3c4]

  Beide links werken niet..

 • Beide links liggen er inderdaad uit.
  Ik hoor even bij de maker van de tool wat er juist aan de hand is.
 • Er blijken wat problemen te zijn met combofix.

  Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
  Unzip/pak het uit naar zijn eigen map op je C:\ (c:\BFU).
  Lees hier hoe je op de juiste wijze moet unzippen/uitpakken:
  http://home.planet.nl/~kleyn080/unzippenXPuitleg.html

  Dubbelklik op BFU.exe om the Brute Force Uninstaller te starten.

  Naast 'scriptfile to execute'-venster zal je een klein icoontje zien: [img:a916d7dcb2]http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.JPG[/img:a916d7dcb2]
  Klik op dat icoontje en een nieuw venster zal openen.
  Bovenaan zie je staan: 'Please enter the full URL to the script you want to execute'
  In het venster kopieer en plak je volgende url:
  http://home.planet.nl/~kleyn080/alcanshorty.bfu

  Klik op OK
  Daarna klik je op [b:a916d7dcb2]execute[/b:a916d7dcb2] in Brute Force Uninstaller.

  Wacht tot je de boodschap [b:a916d7dcb2]complete script execution[/b:a916d7dcb2] te zien krijgt en klik daarna op [b:a916d7dcb2]OK[/b:a916d7dcb2].
  Klik [b:a916d7dcb2]exit[/b:a916d7dcb2] om het programma te beeïndigen.

  Herstart de computer, maak een nieuwe hijackthislog en post deze.
 • Ok, ik heb brute force laten lopen, dit is het nieuwe log van hijackthis:

  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 18:11:34, on 27-8-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
  C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\system32\drivers\CDAC11BA.EXE
  C:\Program Files\Norton AntiVirus\navapsvc.exe
  C:\Program Files\Eset\nod32krn.exe
  C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
  C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  C:\Program Files\MSN Messenger\msnmsgr.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Outlook Express\msimn.exe
  C:\WINDOWS\system32\svchost.exe
  C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
  C:\HJT\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing)
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
  O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
  O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
  O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
  O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
  O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
  O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
  O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
  O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
  O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
  O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
  O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
  O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
  O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
  O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
  O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
  O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
  O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
  O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
  O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


  End of file - 8898 bytes
 • Kan je een je nu een logje maken met de nieuwe versie van Combofix?
  (de tool is weer beschikbaar)
 • misschien doe ik iets verkeerd, maar ik kan combofix nog steeds niet downloaden..
 • Moet toch lukken nu hoor.
 • Ok, nu deed hij het wel. Hij had wel wat instellingen veranderd toen ik weer opstartte.. De firewall was uitgeschakeld, m'n virusscanner werd niet herkend en explorer was weer de standaardbrowser (ik heb firefox als standaard ingesteld). Ik heb dit hersteld, ik hoop dat dat goed is..

  Dit is de log:ComboFix 07-08-30.1 - "****" 2007-08-29 23:39:12.1 - NTFSx86


  ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


  C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\#SharedObjects\JC48FZ8J\www.broadcaster.com
  C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
  C:\WINDOWS\system32\_000005_.tmp.dll
  C:\WINDOWS\tuutvw.ini
  C:\WINDOWS\wvtuut.dll


  ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


  2007-08-29 23:38 51,200 –a—— C:\WINDOWS\nircmd.exe
  2007-08-29 08:28 <DIR> d——– C:\WINDOWS\LastGood.Tmp
  2007-08-27 18:07 <DIR> d——– C:\bintheredunthat
  2007-08-27 18:04 <DIR> d——– C:\bfu
  2007-08-27 00:03 <DIR> d——– C:\HJT
  2007-08-26 23:57 <DIR> d——– C:\VundoFix Backups
  2007-08-25 11:40 <DIR> d——– C:\DOCUME~1\****\ppPokerDir
  2007-07-10 17:39 737,280 –a—— C:\WINDOWS\iun6002.exe
  2007-07-10 17:39 19 –a—— C:\WINDOWS\popcinfo.dat
  2007-07-10 17:39 <DIR> d——– C:\Program Files\PopCap Games
  2007-07-09 10:34 <DIR> d——– C:\Program Files\Common Files\Sandlot Shared
  2007-07-09 10:34 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
  2007-07-09 10:33 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
  2007-07-09 09:46 <DIR> d——– C:\Program Files\BFG
  2007-07-08 19:17 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\Eyeblaster
  2007-07-08 19:13 <DIR> d——– C:\Program Files\Zylom Games
  2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\PlayFirst
  2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


  (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

  2007-08-29 08:31 ——— d——– C:\Program Files\Common Files\Symantec Shared
  2007-08-27 21:09 ——— d——– C:\DOCUME~1\****\APPLIC~1\Ahead
  2007-08-25 21:01 ——— d——– C:\DOCUME~1\****\APPLIC~1\uTorrent
  2007-07-30 19:19 92504 –a—— C:\WINDOWS\system32\cdm.dll
  2007-07-30 19:19 549720 –a—— C:\WINDOWS\system32\wuapi.dll
  2007-07-30 19:19 53080 –a—— C:\WINDOWS\system32\wuauclt.exe
  2007-07-30 19:19 43352 –a—— C:\WINDOWS\system32\wups2.dll
  2007-07-30 19:19 325976 –a—— C:\WINDOWS\system32\wucltui.dll
  2007-07-30 19:19 203096 –a—— C:\WINDOWS\system32\wuweb.dll
  2007-07-30 19:19 1712984 –a—— C:\WINDOWS\system32\wuaueng.dll
  2007-07-30 19:18 33624 –a—— C:\WINDOWS\system32\wups.dll
  2007-07-12 11:28 ——— d–h—– C:\Program Files\InstallShield Installation Information
  2007-07-08 19:13 ——— d——– C:\DOCUME~1\****\APPLIC~1\Zylom
  2007-07-07 13:26 ——— d——– C:\Program Files\Norton AntiVirus
  2007-07-07 13:24 806 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.INF
  2007-07-07 13:24 8014 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.CAT
  2007-07-07 13:24 48776 –a—— C:\WINDOWS\system32\S32EVNT1.DLL
  2007-07-07 13:24 115000 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.SYS
  2007-07-07 13:24 ——— d——– C:\Program Files\Symantec
  2007-07-07 13:24 ——— d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
  2007-06-26 08:10 1104896 –a—— C:\WINDOWS\system32\msxml3.dll
  2007-06-19 15:33 282112 –a—— C:\WINDOWS\system32\gdi32.dll
  2007-06-13 15:24 1036800 –a—— C:\WINDOWS\explorer.exe
  2007-03-09 22:06 87608 –a—— C:\DOCUME~1\****\APPLIC~1\ezpinst.exe
  2007-03-09 22:06 47360 –a—— C:\DOCUME~1\****\APPLIC~1\pcouffin.sys
  2004-03-11 13:27 40960 –a—— C:\Program Files\Uninstall_CDS.exe
  2001-10-05 12:53 21866 –a—— C:\Program Files\Common Files\tppupd2k.dll
  2007-03-17 14:28:37 848 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys


  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


  *Note* empty entries & legit default entries are not shown

  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]
  C:\WINDOWS\system32\comsam.dll

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04]
  "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "PowerBar"="" []
  "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34]

  [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
  "Spyware Doctor"=

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
  backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk
  backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
  backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
  backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk
  backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
  rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
  C:\Program Files\BullsEye Network\bin\bargains.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
  "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
  C:\WINDOWS\system32\ctfmon.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
  "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
  "C:\Program Files\Internet Optimizer\optimize.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
  C:\Program Files\iTunes\iTunesHelper.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
  C:\Program Files\Media Access\MediaAccK.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
  "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct]
  msxct.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
  C:\WINDOWS\system32\NeroCheck.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
  p2pnetworking.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
  C:\Program Files\Power Scan\powerscan.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
  "C:\Program Files\QuickTime\qttask.exe" -atboottime

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
  "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle]
  C:\DOCUME~1\****\LOCALS~1\Temp\sahagent-cdt1004.exe run

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
  c:\temp\salm.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
  rundll32.exe "C:\WINDOWS\wvtuut.dll",realset

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
  SOUNDMAN.EXE

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
  C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
  "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
  C:\WINDOWS\tppaldr.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
  "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
  %systemroot%\system32\dumprep 0 -u

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
  C:\Program Files\winupdate\winupdate.exe /auto  Contents of the 'Scheduled Tasks' folder
  2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE
  2007-07-06 18:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe

  **************************************************************************

  catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2007-08-30 23:43:20
  Windows 5.1.2600 Service Pack 2 NTFS

  scanning hidden processes …

  scanning hidden autostart entries …

  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@

  scanning hidden files …

  scan completed successfully
  hidden files: 0

  **************************************************************************

  Completion time: 2007-08-30 23:45:01 - machine was rebooted
  C:\ComboFix-quarantined-files.txt … 2007-08-30 23:44

  — E O F —
  (Ik heb ivm mijn privacy in de bestandsnamen en op wat andere plekken wat sterretjes gezet. Hier stond mijn achternaam (dit is de naam van mijn account in windows).)
 • Open een kladblokbestand.
  Kopieer onderstaande code in dit kladblokbestand.
  Ga naar Bestand - Opslaan als.
  Bij "Opslaan in" kies je: Bureaublad
  Bij "Bestandsnaam" zet je: fix.reg
  Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
  Klik op de knop Opslaan.
  [code:1:073d5ad73b]REGEDIT4

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]

  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]

  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]

  [/code:1:073d5ad73b]
  Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.


  Download ATF cleaner (gemaakt door Atribune)
  Dubbelklik op ATF cleaner om het programma te starten.
  In het venster "Main", plaats je een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
  Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

  Gebruik je ook Firefox als browser:
  Klik op het tabblad "Firefox" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
  Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
  (dit haalt het vinkje weer weg bij "Firefox saved passwords";)
  Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

  Gebruik je ook Opera als browser:
  Klik op het tabblad "Opera" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
  Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
  Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

  Ga naar het menu "Main" en klik op de knop [b:073d5ad73b]Exit[/b:073d5ad73b] om het programma af te sluiten.


  Herstart de computer, maak een nieuwe log met combofix en post deze.
 • Dit alles gedaan.

  Nieuwe log:

  ComboFix 07-08-30.1 - "****" 2007-08-31 9:45:24.2 - NTFSx86


  ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


  2007-08-29 23:38 51,200 –a—— C:\WINDOWS\nircmd.exe
  2007-08-27 18:07 <DIR> d——– C:\bintheredunthat
  2007-08-27 18:04 <DIR> d——– C:\bfu
  2007-08-27 00:03 <DIR> d——– C:\HJT
  2007-08-26 23:57 <DIR> d——– C:\VundoFix Backups
  2007-08-25 11:40 <DIR> d——– C:\DOCUME~1\****\ppPokerDir
  2007-07-10 17:39 737,280 –a—— C:\WINDOWS\iun6002.exe
  2007-07-10 17:39 19 –a—— C:\WINDOWS\popcinfo.dat
  2007-07-10 17:39 <DIR> d——– C:\Program Files\PopCap Games
  2007-07-09 10:34 <DIR> d——– C:\Program Files\Common Files\Sandlot Shared
  2007-07-09 10:34 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
  2007-07-09 10:33 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
  2007-07-09 09:46 <DIR> d——– C:\Program Files\BFG
  2007-07-08 19:17 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\Eyeblaster
  2007-07-08 19:13 <DIR> d——– C:\Program Files\Zylom Games
  2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\PlayFirst
  2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


  (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

  2007-08-29 08:31 ——— d——– C:\Program Files\Common Files\Symantec Shared
  2007-08-27 21:09 ——— d——– C:\DOCUME~1\****\APPLIC~1\Ahead
  2007-08-25 21:01 ——— d——– C:\DOCUME~1\****\APPLIC~1\uTorrent
  2007-07-30 19:19 92504 –a—— C:\WINDOWS\system32\cdm.dll
  2007-07-30 19:19 549720 –a—— C:\WINDOWS\system32\wuapi.dll
  2007-07-30 19:19 53080 –a—— C:\WINDOWS\system32\wuauclt.exe
  2007-07-30 19:19 43352 –a—— C:\WINDOWS\system32\wups2.dll
  2007-07-30 19:19 325976 –a—— C:\WINDOWS\system32\wucltui.dll
  2007-07-30 19:19 203096 –a—— C:\WINDOWS\system32\wuweb.dll
  2007-07-30 19:19 1712984 –a—— C:\WINDOWS\system32\wuaueng.dll
  2007-07-30 19:18 33624 –a—— C:\WINDOWS\system32\wups.dll
  2007-07-12 11:28 ——— d–h—– C:\Program Files\InstallShield Installation Information
  2007-07-08 19:13 ——— d——– C:\DOCUME~1\****\APPLIC~1\Zylom
  2007-07-07 13:26 ——— d——– C:\Program Files\Norton AntiVirus
  2007-07-07 13:24 806 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.INF
  2007-07-07 13:24 8014 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.CAT
  2007-07-07 13:24 48776 –a—— C:\WINDOWS\system32\S32EVNT1.DLL
  2007-07-07 13:24 115000 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.SYS
  2007-07-07 13:24 ——— d——– C:\Program Files\Symantec
  2007-07-07 13:24 ——— d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
  2007-06-26 08:10 1104896 –a—— C:\WINDOWS\system32\msxml3.dll
  2007-06-19 15:33 282112 –a—— C:\WINDOWS\system32\gdi32.dll
  2007-06-13 15:24 1036800 –a—— C:\WINDOWS\explorer.exe
  2007-03-09 22:06 87608 –a—— C:\DOCUME~1\****\APPLIC~1\ezpinst.exe
  2007-03-09 22:06 47360 –a—— C:\DOCUME~1\****\APPLIC~1\pcouffin.sys
  2004-03-11 13:27 40960 –a—— C:\Program Files\Uninstall_CDS.exe
  2001-10-05 12:53 21866 –a—— C:\Program Files\Common Files\tppupd2k.dll
  2007-03-17 14:28:37 848 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys


  ((((((((((((((((((((((((((((( snapshot_2007-08-30_234439.56 )))))))))))))))))))))))))))))))))))))))))

  —-a-w 13,536 2005-06-28 08:20:24 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spmsg.dll
  —-a-w 216,800 2005-06-28 08:23:40 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spuninst.exe
  —-a-w 317,952 2007-06-27 13:57:10 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\unregmp2.exe
  —-a-w 725,728 2005-06-28 08:25:04 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\update.exe
  —-a-w 371,424 2005-06-28 08:23:54 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\updspapi.dll


  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


  *Note* empty entries & legit default entries are not shown

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04]
  "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "PowerBar"="" []
  "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34]

  [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
  "Spyware Doctor"=

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
  backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk
  backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
  backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
  backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]
  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk
  backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
  rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
  "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
  C:\WINDOWS\system32\ctfmon.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
  "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
  C:\Program Files\iTunes\iTunesHelper.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
  "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
  C:\WINDOWS\system32\NeroCheck.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
  "C:\Program Files\QuickTime\qttask.exe" -atboottime

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
  "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
  SOUNDMAN.EXE

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
  C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
  "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
  C:\WINDOWS\tppaldr.exe

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
  "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
  %systemroot%\system32\dumprep 0 -u  Contents of the 'Scheduled Tasks' folder
  2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE
  2007-08-30 18:53:35 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe

  **************************************************************************

  catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2007-08-31 09:47:00
  Windows 5.1.2600 Service Pack 2 NTFS

  scanning hidden processes …

  scanning hidden autostart entries …

  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@

  scanning hidden files …

  scan completed successfully
  hidden files: 0

  **************************************************************************

  Completion time: 2007-08-31 9:47:46
  C:\ComboFix-quarantined-files.txt … 2007-08-31 09:47
  C:\ComboFix2.txt … 2007-08-30 23:45

  — E O F —

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.