Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Virus in mail "essa voce precisa ver"

Anoniem
None
41 antwoorden
  • Mijn vrouw heeft mail van vriendin gekregen in het spaans met een link er in. Toen ze daar op klkte werd ze al snel gebeld door vrienden dat ze spam aan het versturen was. Norton ziet geen virus (we deden natuurlijk meteen een scan)

    Onderstaand het log, graag advies

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:20:23, on 7-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\TODDSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\WINDOWS\Media\LTaskup.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [SetupType] Portable
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [wTask] C:\WINDOWS\Media\LTaskup.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe /NoDialog
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.bestemmingsplannen.amsterdam.nl/install/mgaxctrl_65515.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe


    End of file - 12029 bytes

  • [quote:d427c53885="jorte"]Mijn vrouw heeft mail van vriendin gekregen in het spaans met een link er in. Toen ze daar op klkte werd ze al snel gebeld door vrienden dat ze spam aan het versturen was. Norton ziet geen virus (we deden natuurlijk meteen een scan)
    [/quote:d427c53885]

    Doe die Norton maar weg, want een Trojan die al zo lang bekend is, had ie moeten vangen. Ik heb mijn scanner AVG ook vervangen, en wel door het Duitse AntiVir, dat je gratis kan downloaden bij http://www.free-av.com/.

    Omdat een kennis van me deze Trojan ook heeft, ben ik heel benieuwd of je dit ding met AntiVir weg kan krijgen. De instructies die ik op andere forums zie zijn nogal ingewikkeld namelijk, en dat wil ik haar niet aandoen.

    vriendelijke groeten,

    Enno
  • @ennoborg: Weet jij welke trojan het is?

    Ik heb inmiddels LTASKupexe uit opstarten en uit de directory windows/media verwijderd (die probeerde verbinding te maken en dat bleek dus fout bestand via google). Verder AD-aware en Spybot gedraaid en die hebben er het nodige afgehaald.
    Met de online scanner van panda vind ik verder nix. Kaspersky online zag gisteren nog wat in mijn herstelpunten, dus ik neem aan dat ik die moet weghalen.

    Onderstaand mijn nieuwe log, heel gaag wil ik advies voor eventuele verdere stappen. Vast dank!
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:13:26, on 9-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\TODDSrv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [SetupType] Portable
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe /NoDialog
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.bestemmingsplannen.amsterdam.nl/install/mgaxctrl_65515.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe


    End of file - 12854 bytes

    Tot slot nog een vraag: ik lees wel eens dat dit soort malware de instellingen van je virusscanner aanpassen zodat die in feite buiten werking is. Zou je dat ergens aan kunnen zien?
    Goede groet, Jorte

  • [quote:4ded89a1bb="jorte"]@ennoborg: Weet jij welke trojan het is?

    Tot slot nog een vraag: ik lees wel eens dat dit soort malware de instellingen van je virusscanner aanpassen zodat die in feite buiten werking is. Zou je dat ergens aan kunnen zien?
    Goede groet, Jorte[/quote:4ded89a1bb]

    Dag Jorte,

    AntiVir geeft de volgende informatie:

    Virus: TR/Delphi.Downloader.Gen
    Type: Trojan
    In the wild: No
    Reported Infections: Low
    Distribution Potential: Low
    Damage Potential: Low
    Static file: No
    Engine version: 7.01.00.17

    Als ik het goed begrijp, is dit een screensaver die is gemaakt met een soort software kit, die volgens AntiVir niet in het wild voorkomt. Wij weten echter wel beter nu, en dat heb ik hun ook verteld.

    http://www.google.com/search?hl=nl&q=TR%2FDelphi.Downloader.Gen&btnG=Zoeken&lr=lang_nl

    De trojan installeert een aangepaste versie van het bestand svchost.exe, en dat bestand zie ik nog steeds in je log staan. Dat is ook wel logisch, want het is een normaal Windows-bestand dat in dit geval door een kwaadaardige versie vervangen is.

    Omdat ik zelf, ondanks de veel te tolerante werking van AVG, niet besmet ben, kan ik je niet vertellen hoe je hem moet verwijderen, maar ik hoop dat je via de bovengenoemde Google link wel aanwijzigingen vindt. Die staan in het eerste resultaat in elk geval wel, en in het tweede zie je dat er maar heel weinig scanners zijn die dit rotding detecteren.

    Wat mij betreft reden te meer om Norton direct de deur uit te doen. Ik heb een soortgelijke Trojan al een keer eerder gehad, en toen wel geinstalleerd om te testen wat ie deed, en toen werd ie ook gewoon door AVG doorgelaten. Ook toen ben ik op AntiVir overgestapt, maar na een system restore was ik tot gisteren weer terug bij AVG.

    Bij die vorige Trojan zag ik niet dat m'n virusscanner werd uitgeschakeld, maar dat was ook niet nodig, omdat die toch al te stom was om dat ding te vinden. Wat ik wel zag was dat Windows waarschuwde dat de firewall werd uitgezet. Dat was namelijk nodig om die rotzooi door te sturen.

    M'n kennis in Assen is haar PC nu aan het scannen, en ik hoop dat ze gauw meldt dat het goed is. Als ze dat meldt, laat ik het weten.

    groeten,

    Enno
  • Dank.
    Bij haar zit er geen svchost in de windows dir, wel in de sys.32 dir, maar daar hoort die ook volgens de info uit jouw link.
    Wel vond ik svchost,ex_ in c:\I386 en svchost.exe-3530f72 .pf in c;\windows\prefetch

    Een online met Mcafee leverde resultaat op:
    wnupd.exe en crss7[1].exe en ook nog A0015008.exe, maar die zit in een herstelpunt geloof ik.
    Uitzoeken leert dat het om de trojan Dloadr-bfj gaat (dat lijkt overigens sprekend op Delphi.Downloader.Gen), maar ik ben er nog niet achter hoe ik het er af moet krijgen.
    Als jij of anderen mij kunnen helpen hoe ik het er af krijg, heel graag, want tot nu toe lukt het niet. Aangezien haar hele kennissenkring is gemailed met dat rottige linkje wil ik graag instructies die ik aan de mensen kan sturen die ook op het linkje in de mail hebben geklikt.
  • Beste Jorte,

    Omdat mijn PC zelf niet besmet is kan ik niet uit eerste hand vertellen wat je nu moet doen. Ik kan daarom nu niet meer doen dan je verwijzen naar

    http://www.google.com/search?q=Essa+voce+precisa+VER&hl=nl&lr=lang_nl&start=0&sa=N

    Als mijn kennis in Assen nog goed nieuws heeft zal ik dat ook doorvertellen, maar voorlopig zul je het even met Google moeten doen.

    vriendelijke groeten,

    Enno
  • Hoi Jorte,

    Doe het volgende even om deze definitief te verwijderen.

    Download: RVAXO.exe
    [list:693b5aa82f]
    Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    Open nu de map [b:693b5aa82f]RVAXO[/b:693b5aa82f] op je bureaublad en dubbeklik [b:693b5aa82f]RVAXO.cmd[/b:693b5aa82f]
    Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    [b:693b5aa82f]Mogelijk[/b:693b5aa82f] start er ook een uninstaller van een rogue scanner op, [b:693b5aa82f]sluit deze niet[/b:693b5aa82f] af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
    Laat deze lopen en wacht tot er een logfile opent: C:\[b:693b5aa82f]RVAXO-results.log[/b:693b5aa82f]
    Herstart je computer niet vanzelf, of start de tool niet na de reboot, [b:693b5aa82f]doe dit dan handmatig[/b:693b5aa82f].
    Post de inhoud van de logfile in je volgende bericht.
    [/list:u:693b5aa82f]

    Succes.

    Pim :)
  • Beste Enno en Pim, vast veel dank voor de hulp. Pim, onderstaan het logje

    —————-RVAXO.exe first run————-

    Files found:

    C:\WINDOWS\system32\_000005_.tmp.dll
    C:\WINDOWS\lnk_dados_2.dll
    C:\Documents and Settings\Bea\user.dat
    C:\Documents and Settings\Bea\Emails.dat

    Uninstallers Rogue scanners:


    Folders Found:


    Hosts-file was reset, If you use a custom hosts file please replace it…

    ————–RVAXO.exe last run—————

    Files found:

    Folders Found:

    ————–RVAXO.exe finished—————-

    Die files wnupd.exe en crss7[1].exe in de temp heeft ie er niet uitgehaald, zal ik die maar handmatig er uithalen of is dat niet nodig? Aanvulling: die zijn er niet meer zo te zien want ik kan ze niet meer vinden! Lijkt mij een goed teken.


    Ik heb voor alle zekerheid ook maar een Hijack draai gemaakt, onderstaand het logje.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:09:23, on 10-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\TODDSrv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [SetupType] Portable
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe /NoDialog
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.bestemmingsplannen.amsterdam.nl/install/mgaxctrl_65515.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5181/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe


    End of file - 12977 bytes

  • Ziet er goed uit, maar ik wil even nog iets controleren.

    Download [b:f98d622734]Combofix[/b:f98d622734] naar je [b:f98d622734]bureaublad[/b:f98d622734]

    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:f98d622734]download Combofix opnieuw[/b:f98d622734]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

    Dubbelklik op [u:f98d622734]combofix.exe[/u:f98d622734]
    Kies voor "Continue" door [b:f98d622734]1[/b:f98d622734] te typen gevolgd door [b:f98d622734]ENTER[/b:f98d622734].
    Tijdens het runnen van de fix, [b:f98d622734]NIET[/b:f98d622734] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:f98d622734]combofix.txt[/b:f98d622734] openen.
    [i:f98d622734]Plaats in je volgende antwoord het logje van combofix (combofix.txt)[/i:f98d622734]
  • Pim, vast dank, onderstaand het log. Tijdens de eerste scan greep teatimer van spybot een paar keer in. Ik kreeg wel een log. Ik heb dat wel bewaard, maar onderstaand dus de tweede draai met een nieuw opgehaalde combofix.

    ComboFix 07-12-09.1 - Bea 2007-12-10 20:43:41.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.593 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Bea\Bureaublad\ComboFix.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-11-10 to 2007-12-10 ))))))))))))))))))))))))))))))
    .

    2007-12-10 18:57 . 2007-12-10 18:57 <DIR> d——– C:\RVAXO
    2007-12-10 18:56 . 2007-12-10 19:24 522,592 –a—— C:\WINDOWS\system32\RVAXO.bat
    2007-12-10 18:56 . 2001-10-01 14:51 69,632 –a—— C:\WINDOWS\system32\remove.exe
    2007-12-09 15:54 . 2007-12-09 15:54 <DIR> d——– C:\WINDOWS\McAfee.com
    2007-12-09 14:01 . 2007-12-09 15:03 <DIR> d——– C:\WINDOWS\system32\ActiveScan
    2007-12-09 14:01 . 2007-12-09 14:01 30,590 –a—— C:\WINDOWS\system32\pavas.ico
    2007-12-09 14:01 . 2007-12-09 14:01 2,550 –a—— C:\WINDOWS\system32\Uninstall.ico
    2007-12-09 14:01 . 2007-12-09 14:01 1,406 –a—— C:\WINDOWS\system32\Help.ico
    2007-12-08 18:23 . 2007-12-08 18:23 <DIR> d——– C:\WINDOWS\system32\Kaspersky Lab
    2007-12-08 18:23 . 2007-12-08 18:23 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Program Files\Lavasoft
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-07 20:46 . 2007-12-07 21:35 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-07 17:19 . 2007-12-07 17:19 <DIR> d——– C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-09 14:14 ——— d—–w C:\Program Files\Common Files\Symantec Shared
    2007-12-09 13:56 ——— d—–w C:\Program Files\TomTom HOME
    2007-12-09 13:56 ——— d—–w C:\Program Files\Symantec
    2007-12-09 13:55 ——— d—–w C:\Program Files\QuickTime
    2007-12-09 13:55 ——— d—–w C:\Program Files\PC Connectivity Solution
    2007-12-09 13:53 ——— d—–w C:\Program Files\iTunes
    2007-12-09 13:48 ——— d—–w C:\Program Files\Apoint2K
    2007-12-09 13:18 ——— d—–w C:\Documents and Settings\Bea\Application Data\Symantec
    2007-12-09 13:16 ——— d—–w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-12-07 14:55 805 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-12-07 14:55 60,800 —-a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-07 14:55 123,952 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-07 14:55 10,740 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-12-07 14:12 ——— d—–w C:\Program Files\DYMO Label
    2007-12-06 08:15 ——— d—–w C:\Program Files\Norton Internet Security
    2007-10-01 13:49 542,088 —-a-w C:\WINDOWS\system32\SymNeti.dll
    2007-10-01 13:49 161,160 —-a-w C:\WINDOWS\system32\SymRedir.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 09:47]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2006-11-09 17:15]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 16:39]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 16:36]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 16:40]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 23:34 C:\WINDOWS\RTHDCPL.exe]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 06:40]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-22 10:17]
    "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 15:31]
    "HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 12:45]
    "SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 12:45]
    "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 13:57]
    "TPSMain"="TPSMain.exe" [2005-08-11 15:14 C:\WINDOWS\system32\TPSMain.exe]
    "Zooming"="ZoomingHook.exe" [2005-06-06 08:58 C:\WINDOWS\system32\ZoomingHook.exe]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe" [2005-05-12 12:28]
    "TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 15:11 C:\WINDOWS\system32\TCtrlIOHook.exe]
    "TFncKy"="TFncKy.exe" []
    "Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 12:11]
    "NDSTray.exe"="NDSTray.exe" []
    "DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 10:33]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 11:04]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
    "AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 16:22 C:\WINDOWS\agrsmmsg.exe]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 15:09]
    "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
    "SetupType"="Portable" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-24 16:00]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 15:52]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 09:22]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 11:00]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
    HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2007-08-31 16:46 1460560 –a—— C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wTask]
    C:\WINDOWS\Media\LTaskup.exe

    R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
    R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys
    R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
    R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
    R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
    R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

    *Newly Created Service* - COMHOST
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-01-02 15:50:21 C:\WINDOWS\Tasks\Herinnering voor registratie 1.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-01-02 15:50:22 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-01-23 13:20:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-08-10 18:00:33 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - Bea.job"
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
    .
    ——————— DLLs Loaded Under Running Processes ———————

    PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
    -> C:\DOCUME~1\Bea\LOCALS~1\Temp\motdvmqjR.dll
    .
    **************************************************************************

    catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-10 20:45:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2007-12-10 20:45:39
    C:\ComboFix2.txt … 2007-12-10 20:32
    .
    — E O F —
  • Net wat ik dacht 8)

    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:694c42f7ce]
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wTask]
    [/b:694c42f7ce]

    Sla dit op op je Bureaublad als [b:694c42f7ce]CFScript.txt[/b:694c42f7ce]

    Sleep [b:694c42f7ce]CFScript.txt[/b:694c42f7ce] in [b:694c42f7ce]ComboFix.exe[/b:694c42f7ce] zoals getoond in onderstaand voorbeeld :
    [img:694c42f7ce]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:694c42f7ce]

    Dit zal [b:694c42f7ce]ComboFix[/b:694c42f7ce] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.

    Hoe is het met je problemen?
    Pim
  • Beste Pim, onderstaand de logjes. Overigens sloot hij niet af na het draaien van combofix, maar krijg ik een mededeling dat nircmd.cfexe een ddl niet kon vinden (sorry, niet goed genoteerd). Zoals je ziet wel een llogje. Zo te merken draait de pc verder goed, maar ze werkt er nu niet op, maar met haar vaste pc (het is de laptop die was besmet, en uit voorzorg gebruiken we die nu maar even niet).

    ComboFix 07-12-09.1 - Bea 2007-12-11 18:17:15.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.509 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Bea\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Bea\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))
    .

    2007-12-10 18:57 . 2007-12-10 18:57 <DIR> d——– C:\RVAXO
    2007-12-10 18:56 . 2007-12-10 19:24 522,592 –a—— C:\WINDOWS\system32\RVAXO.bat
    2007-12-10 18:56 . 2001-10-01 14:51 69,632 –a—— C:\WINDOWS\system32\remove.exe
    2007-12-09 15:54 . 2007-12-09 15:54 <DIR> d——– C:\WINDOWS\McAfee.com
    2007-12-09 14:01 . 2007-12-09 15:03 <DIR> d——– C:\WINDOWS\system32\ActiveScan
    2007-12-09 14:01 . 2007-12-09 14:01 30,590 –a—— C:\WINDOWS\system32\pavas.ico
    2007-12-09 14:01 . 2007-12-09 14:01 2,550 –a—— C:\WINDOWS\system32\Uninstall.ico
    2007-12-09 14:01 . 2007-12-09 14:01 1,406 –a—— C:\WINDOWS\system32\Help.ico
    2007-12-08 18:23 . 2007-12-08 18:23 <DIR> d——– C:\WINDOWS\system32\Kaspersky Lab
    2007-12-08 18:23 . 2007-12-08 18:23 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Program Files\Lavasoft
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-08 17:17 . 2007-12-08 17:17 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-07 20:46 . 2007-12-07 21:35 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-07 17:19 . 2007-12-07 17:19 <DIR> d——– C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-09 14:14 ——— d—–w C:\Program Files\Common Files\Symantec Shared
    2007-12-09 13:56 ——— d—–w C:\Program Files\TomTom HOME
    2007-12-09 13:56 ——— d—–w C:\Program Files\Symantec
    2007-12-09 13:55 ——— d—–w C:\Program Files\QuickTime
    2007-12-09 13:55 ——— d—–w C:\Program Files\PC Connectivity Solution
    2007-12-09 13:53 ——— d—–w C:\Program Files\iTunes
    2007-12-09 13:48 ——— d—–w C:\Program Files\Apoint2K
    2007-12-09 13:18 ——— d—–w C:\Documents and Settings\Bea\Application Data\Symantec
    2007-12-09 13:16 ——— d—–w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-12-07 14:55 805 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-12-07 14:55 60,800 —-a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-07 14:55 123,952 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-07 14:55 10,740 —-a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-12-07 14:12 ——— d—–w C:\Program Files\DYMO Label
    2007-12-06 08:15 ——— d—–w C:\Program Files\Norton Internet Security
    2007-10-01 13:49 542,088 —-a-w C:\WINDOWS\system32\SymNeti.dll
    2007-10-01 13:49 161,160 —-a-w C:\WINDOWS\system32\SymRedir.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 09:47]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2006-11-09 17:15]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 16:39]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 16:36]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 16:40]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 23:34 C:\WINDOWS\RTHDCPL.exe]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 06:40]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-22 10:17]
    "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 15:31]
    "HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 12:45]
    "SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 12:45]
    "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 13:57]
    "TPSMain"="TPSMain.exe" [2005-08-11 15:14 C:\WINDOWS\system32\TPSMain.exe]
    "Zooming"="ZoomingHook.exe" [2005-06-06 08:58 C:\WINDOWS\system32\ZoomingHook.exe]
    "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe" [2005-05-12 12:28]
    "TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 15:11 C:\WINDOWS\system32\TCtrlIOHook.exe]
    "TFncKy"="TFncKy.exe" []
    "Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 12:11]
    "NDSTray.exe"="NDSTray.exe" []
    "DDWMon"="C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 10:33]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 11:04]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
    "AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 16:22 C:\WINDOWS\agrsmmsg.exe]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-14 15:09]
    "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
    "SetupType"="Portable" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 16:04]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-24 16:00]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 15:52]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 09:22]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
    HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2007-08-31 16:46 1460560 –a—— C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys
    R2 tdudf;TOSHIBA UDF File System Driver;C:\WINDOWS\system32\DRIVERS\tdudf.sys
    R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
    R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
    R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
    R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

    *Newly Created Service* - COMHOST
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-01-02 15:50:21 C:\WINDOWS\Tasks\Herinnering voor registratie 1.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-01-02 15:50:22 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-01-23 13:20:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2007-08-10 18:00:33 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - Bea.job"
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-11 18:18:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2007-12-11 18:19:11
    C:\ComboFix2.txt … 2007-12-10 20:45
    C:\ComboFix3.txt … 2007-12-10 20:32
    .
    — E O F —

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:26:09, on 11-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\WINDOWS\system32\ZoomingHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    C:\WINDOWS\system32\TCtrlIOHook.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\TODDSrv.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA-zoomutility\SmoothView.exe
    O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [SetupType] Portable
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe /NoDialog
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.bestemmingsplannen.amsterdam.nl/install/mgaxctrl_65515.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5181/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
    avapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe


    End of file - 12891 bytes


  • Het ziet er weer prima uit :wink:

    Je had hier te maken met een Trojan Banker, oftewel een virus die wachtwoorden verzameld. Daarom is het aan te raden om al je wachtwoorden van website's te veranderen waar je geregistreerd bent, zeker van je internet bankieren!

    Lees ook nog eens deze beveiligingstips door:
    http://users.telenet.be/marcvn/spyware/1564073.htm

    Pim :)
  • Beste Pim, veel dank.
    Is rare ervaring zo'n besmetting, de computer ziet er opeens heel anders uit, voelt anders…….
    Fijn dat we hem weer kunnen gebruiken!
    (en nu weer extra voorzichtig zijn )
    Grote groet, Jorte
  • Graag gedaan Jorte :wink:
  • Hoi Pim,

    Ik volg sinds vandaag je berichten over het "essa voce precisa ver" virus.
    Mijn zus heeft dit virus namelijk ook op haar PC zitten en nu ben ik aan het proberen dit te verwijderen.

    Ik heb RVAXO en ComboFix al laten lopen.

    Onderstaand de logs.

    Ik hoop dat je mij ook verder kunt helpen.

    Alvast bedankt, Pascal

    —————-RVAXO.exe first run————-

    Files found:

    C:\WINDOWS\lnk_dados_2.dll
    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\user.dat
    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Emails.dat
    C:\WINDOWS\Media\LTaskup.exe
    C:\start.bat

    Uninstallers Rogue scanners:


    Folders Found:

    C:\Program Files\outlook
    C:\Program Files\pedevice
    C:\Program Files\Common Files\{384F5C17-0A6A-1043-0813-03051403001f}
    C:\Program Files\Common Files\{C84F5C17-0A6A-1043-0813-03051403001f}
    C:\Program Files\Common Files\{C84F5C17-0A6B-1043-0813-03051403001f}
    —————-RVAXO.exe first run————-

    Files found:

    C:\WINDOWS\lnk_dados_2.dll
    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\user.dat
    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Emails.dat
    C:\start.bat

    Uninstallers Rogue scanners:


    Folders Found:

    C:\Program Files\pedevice
    C:\Program Files\Common Files\{384F5C17-0A6A-1043-0813-03051403001f}
    C:\Program Files\Common Files\{C84F5C17-0A6A-1043-0813-03051403001f}
    C:\Program Files\Common Files\{C84F5C17-0A6B-1043-0813-03051403001f}

    Hosts-file was reset, If you use a custom hosts file please replace it…

    ————–RVAXO.exe last run—————

    Files found:

    Folders Found:

    ————–RVAXO.exe finished—————-



    ComboFix 07-12-12.3 - Schroeder 2007-12-13 22:30:22.1 - NTFSx86
    Gestart vanuit: C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Application Data\DOBE~1
    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Application Data\ICROSO~1.NET
    C:\Program Files\Common Files\{384F5~1
    C:\Program Files\Common Files\{C84F5~1
    C:\Program Files\Common Files\{C84F5~2
    C:\Program Files\Common Files\curity~1
    C:\Program Files\Common Files\scurit~1
    C:\Program Files\Common Files\uninstall information
    C:\Program Files\Common Files\ystem~1
    C:\Program Files\mantec~1
    C:\Program Files\ppatch~1
    C:\Program Files\smante~1
    C:\Program Files\stem~1
    C:\WINDOWS\fnts~1
    C:\WINDOWS\sks~1
    C:\WINDOWS\sstem3~1
    C:\WINDOWS\stem32~1
    C:\WINDOWS\system32\racle~1
    C:\WINDOWS\system32\wnsxs~1
    C:\WINDOWS\ymante~1

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-11-13 to 2007-12-13 ))))))))))))))))))))))))))))))
    .

    2007-12-13 22:25 . 2007-12-13 22:26 <DIR> d——– C:\RVAXO
    2007-12-13 22:20 . 2007-12-13 20:19 532,459 –a—— C:\WINDOWS\system32\RVAXO.bat
    2007-12-13 22:20 . 2001-10-01 14:51 69,632 –a—— C:\WINDOWS\system32\remove.exe
    2007-12-13 22:01 . 2007-12-13 22:01 994,176 –a—— C:\WINDOWS\XOU Clock.exe
    2007-12-13 22:01 . 2007-12-13 22:01 400,512 –a—— C:\WINDOWS\XOU Clock.scr
    2007-12-13 22:01 . 2007-12-13 22:01 40,960 –a—— C:\WINDOWS\XOU Clock.dll
    2007-12-13 22:01 . 2007-12-13 22:01 18,192 –a—— C:\WINDOWS\XOU Clock.dat
    2007-12-13 11:02 . 2007-12-13 11:02 <DIR> d——– C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SurfRight
    2007-12-09 11:58 . 2007-12-09 11:58 <DIR> d——– C:\Program Files\SurfRight
    2007-12-09 11:58 . 2007-12-09 11:58 <DIR> d——– C:\Documents and Settings\All Users.WINDOWS\Application Data\SurfRight
    2007-11-30 16:40 . 2007-11-30 16:40 16,640 –a-s—- C:\WINDOWS\system32\drivers\ctredrv.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-13 21:26 ——— d—–w C:\Program Files\Hitman Pro
    2007-12-13 10:18 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
    2007-12-13 10:02 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2007-12-09 14:27 ——— d—–w C:\Program Files\Spyware Doctor
    2007-12-09 11:16 ——— d—–w C:\Program Files\SpywareBlaster
    2007-12-07 04:46 ——— d—–w C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SiteAdvisor
    2007-12-06 14:17 ——— d—–w C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Application Data\SiteAdvisor
    2007-12-03 19:55 ——— d—–w C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Application Data\LimeWire
    2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
    2007-10-26 18:35 ——— d—–w C:\Program Files\Logitech
    2007-10-26 18:35 ——— d—–w C:\Program Files\Common Files\Logitech
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-19 15:03 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
    2007-10-19 14:16 512,096 —-a-w C:\WINDOWS\system32\drivers\amon.sys
    2007-10-19 14:16 298,104 —-a-w C:\WINDOWS\system32\imon.dll
    2007-10-19 14:16 15,424 —-a-w C:\WINDOWS\system32\drivers
    od32drv.sys
    2007-09-13 18:40 234,008 —-a-w C:\WINDOWS\system32\WmJoyFrc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33E7A132-12F8-1906-F23A-6BE33A95F3E1}]
    C:\WINDOWS\system32
    tcrdvte.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03]
    "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:03 C:\WINDOWS\system32\rundll32.exe]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 12:12]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" []
    "Npaa"="C:\DOCUME~1\SCHROE~2\MIJNDO~1\SMBOLS~1\wuaclt.exe" []
    "Imtwotjd"="C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Application Data\?icrosoft.NET\e?plorer.exe" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
    "SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-03 19:25]
    "SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2007-06-25 14:03]
    "Hitman Pro Expiration Helper"="C:\Program Files\Hitman Pro\xphelper.exe" [2007-01-30 13:41]
    "CaretakerNotifier"="C:\Program Files\SurfRight\Caretaker\Notifier.exe" [2007-11-30 16:41]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" []

    C:\Documents and Settings\Schroeder.THUIS-94M6UPI5I\Menu Start\Programma's\Opstarten\
    Opruimen.bat [2006-12-29 17:15:04]

    C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-10 20:02:47]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 00:20:40]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-12-28 18:53:15]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    R1 ctredrv.sys;ctredrv.sys;\??\C:\WINDOWS\system32\drivers\ctredrv.sys
    R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
    R2 CaretakerAntispam;Caretaker Antispam Service;"C:\Program Files\SurfRight\Caretaker\AntispamService.exe"
    R2 CaretakerProxy;Caretaker Proxy;"C:\Program Files\SurfRight\Caretaker\CaretakerProxy.exe"
    R2 CaretakerSvc;Caretaker Service;"C:\Program Files\SurfRight\Caretaker\CaretakerService.exe"
    R2 CaretakerUpdate;Caretaker Updater;"C:\Program Files\SurfRight\Caretaker\CaretakerUpdater.exe"
    R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
    R3 WmXlCore;Logitech Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
    S3 SNCP106;PC Camera (6009 CIF);C:\WINDOWS\system32\DRIVERS\sncp106.sys
    S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
    S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
    S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-12-13 21:26:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-13 22:33:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2007-12-13 22:35:02
    .
    2007-12-13 10:56:53 — E O F —

  • Hoi Pascal,

    RVAXO heeft het virus al opgeruimd, toch zitten er nog enkele resten:

    Open de map RXAVO en dubbelklik op [b:69288d6fb9]Uninstall.cmd[/b:69288d6fb9]
    RVAXO zal zich nu verwijderen.

    Ga naar Jotti: http://virusscan.jotti.org.
    In het venster '[b:69288d6fb9]File to upload and scan[/b:69288d6fb9]' kopieer je het volgende:
    [b:69288d6fb9]C:\WINDOWS\XOU Clock.exe[/b:69288d6fb9]

    Klik vervolgens op Submit, je file wordt gescand.
    Plaats de uitslag van de scan in je volgende bericht.

    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:69288d6fb9]
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33E7A132-12F8-1906-F23A-6BE33A95F3E1}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Npaa"=-
    "Imtwotjd"=-
    [/b:69288d6fb9]

    Sla dit op op je Bureaublad als [b:69288d6fb9]CFScript.txt[/b:69288d6fb9]

    Sleep [b:69288d6fb9]CFScript.txt[/b:69288d6fb9] in [b:69288d6fb9]ComboFix.exe[/b:69288d6fb9] zoals getoond in onderstaand voorbeeld :
    [img:69288d6fb9]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:69288d6fb9]

    Dit zal [b:69288d6fb9]ComboFix[/b:69288d6fb9] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.

    Lees hier hoe je een Hijackthis logje maakt:
    http://forum.computertotaal.nl/phpBB2/viewtopic.php?t=115358

    Pim
  • Pim,

    Ik met belangstelling je bovengemelde oplossingen gelezen inzake virus een essa …

    Zou je mij ook kunnen helpen.

    RVAXO geeft:
    —————-RVAXO.exe first run————-

    Files found:

    C:\WINDOWS\tasks\A54FC14691847C26.job
    C:\WINDOWS\lnk_dados_2.dll
    C:\Documents and Settings\Ton van Doorn\user.dat
    C:\Documents and Settings\Ton van Doorn\Emails.dat
    C:\WINDOWS\Media\LTaskup.exe

    Uninstallers Rogue scanners:


    Folders Found:


    Hosts-file was reset, If you use a custom hosts file please replace it…

    ————–RVAXO.exe last run—————

    Files found:

    Folders Found:

    ————–RVAXO.exe finished—————-

    Combofix geeft:

    ComboFix 07-12-21.4 - Ton van Doorn 2007-12-21 14:49:31.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.196 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Ton van Doorn\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Ton van Doorn\Application Data\inst.exe

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-11-21 to 2007-12-21 ))))))))))))))))))))))))))))))
    .

    2007-12-21 14:42 . 2007-12-21 14:42 <DIR> d——– C:\RVAXO
    2007-12-21 14:40 . 2007-12-21 12:51 555,344 –a—— C:\WINDOWS\system32\RVAXO.bat
    2007-12-21 14:40 . 2001-10-01 14:51 69,632 –a—— C:\WINDOWS\system32\remove.exe
    2007-12-21 13:55 . 2007-12-21 13:55 <DIR> d——– C:\Documents and Settings\Ton van Doorn\Application Data\K9
    2007-12-21 10:24 . 2007-12-21 10:24 <DIR> d——– C:\Documents and Settings\All Users\Application Data\pdf995
    2007-12-21 10:03 . 2007-12-21 10:03 <DIR> d——– C:\Documents and Settings\Ton van Doorn\Application Data\Symantec
    2007-12-19 23:09 . 2007-12-19 23:29 <DIR> d——– C:\Program Files\Norton AntiVirus
    2007-12-19 23:05 . 2007-12-19 23:26 123,952 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-12-19 23:05 . 2007-12-19 23:26 60,800 –a—— C:\WINDOWS\system32\S32EVNT1.DLL
    2007-12-19 23:05 . 2007-12-19 23:26 10,740 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-12-19 23:05 . 2007-12-19 23:26 805 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-12-19 23:04 . 2007-12-19 23:26 <DIR> d——– C:\Program Files\Symantec
    2007-12-19 19:57 . 2007-01-12 23:50 215,144 –a—— C:\WINDOWS\patchw32.dll
    2007-12-19 19:56 . 2007-01-12 23:50 215,144 –a—— C:\WINDOWS\pw32a.dll
    2007-12-19 19:30 . 2007-12-21 13:56 <DIR> d——– C:\Program Files\Common Files\Symantec Shared
    2007-12-19 19:30 . 2007-12-19 23:25 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-30 23:57 . 2007-11-30 23:57 317,616 –a—— C:\WINDOWS\system32\drivers\srtspl.sys
    2007-11-30 23:57 . 2007-11-30 23:57 279,088 –a—— C:\WINDOWS\system32\drivers\srtsp.sys
    2007-11-30 23:57 . 2007-11-30 23:57 43,696 –a—— C:\WINDOWS\system32\drivers\srtspx.sys
    2007-11-30 23:57 . 2007-11-30 23:57 10,549 –a—— C:\WINDOWS\system32\drivers\srtspx.cat
    2007-11-30 23:57 . 2007-11-30 23:57 10,549 –a—— C:\WINDOWS\system32\drivers\srtspl.cat
    2007-11-30 23:57 . 2007-11-30 23:57 10,545 –a—— C:\WINDOWS\system32\drivers\srtsp.cat
    2007-11-30 23:57 . 2007-11-30 23:57 1,430 –a—— C:\WINDOWS\system32\drivers\srtspl.inf
    2007-11-30 23:57 . 2007-11-30 23:57 1,421 –a—— C:\WINDOWS\system32\drivers\srtspx.inf
    2007-11-30 23:57 . 2007-11-30 23:57 1,415 –a—— C:\WINDOWS\system32\drivers\srtsp.inf
    2007-11-23 21:24 . 2007-11-23 21:35 <DIR> d——– C:\Documents and Settings\Ton van Doorn\Application Data\ICAClient
    2007-11-23 21:21 . 2007-11-23 21:21 <DIR> d——– C:\Program Files\Citrix

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-19 21:05 ——— d—–w C:\Program Files\Google
    2007-12-19 20:40 ——— d—–w C:\Program Files\Hema Album Software Advanced
    2007-12-19 20:29 ——— d—–w C:\Program Files\Windows Live Toolbar
    2007-12-19 20:26 ——— d—–w C:\Program Files\Common Files\Adobe
    2007-12-19 17:55 ——— d—–w C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-12-11 20:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\DVD Shrink
    2007-11-11 13:52 ——— d—–w C:\Program Files\directx
    2007-10-30 18:55 625,032 —-a-w C:\WINDOWS\system32\SymNeti.dll
    2007-10-30 18:55 39,856 —-a-w C:\WINDOWS\system32\drivers\symids.sys
    2007-10-30 18:55 37,936 —-a-w C:\WINDOWS\system32\drivers\symndisv.sys
    2007-10-30 18:55 35,120 —-a-w C:\WINDOWS\system32\drivers\symndis.sys
    2007-10-30 18:55 27,696 —-a-w C:\WINDOWS\system32\drivers\symredrv.sys
    2007-10-30 18:55 242,056 —-a-w C:\WINDOWS\system32\SymRedir.dll
    2007-10-30 18:55 191,536 —-a-w C:\WINDOWS\system32\drivers\symtdi.sys
    2007-10-30 18:55 145,968 —-a-w C:\WINDOWS\system32\drivers\symfw.sys
    2007-10-30 18:55 12,848 —-a-w C:\WINDOWS\system32\drivers\symdns.sys
    2007-10-30 18:24 12,963 —-a-w C:\WINDOWS\system32\drivers\SymRedir.cat
    2007-10-30 18:24 1,358 —-a-w C:\WINDOWS\system32\drivers\SymRedir.inf
    2007-10-26 17:20 ——— d—–w C:\Program Files\Bonjour
    2007-10-26 16:52 ——— d—–w C:\Program Files\Java
    2007-10-26 16:50 47,360 —-a-w C:\Documents and Settings\Ton van Doorn\Application Data\pcouffin.sys
    2007-10-26 16:50 ——— d—–w C:\Documents and Settings\Ton van Doorn\Application Data\Vso
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 19:51]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:03 C:\WINDOWS\system32\rundll32.exe]
    "nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:03 C:\WINDOWS\system32\rundll32.exe]
    "GSICONEXE"="gsicon.exe" [2003-09-07 23:11 C:\WINDOWS\system32\gsicon.exe]
    "DSLAGENTEXE"="dslagent.exe" [2003-09-07 23:11 C:\WINDOWS\system32\dslagent.exe]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-03 19:49]
    "RemoteControl"="d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "LanguageShortcut"="d:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-27 23:38]
    "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 17:22]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03]

    R2 BCMNTIO;BCMNTIO;D:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
    R2 MAPMEM;MAPMEM;D:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
    R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2006-10-10 05:17]
    R3 wanusb;HM121dp USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys [2003-09-07 23:11]
    S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys [2001-08-17 21:06]
    S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-11-03 18:43]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-12-21 13:09:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    "2007-12-19 22:18:27 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan - Ton van Doorn.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
    "2007-12-19 22:13:58 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    - D:\Program Files\Norton SystemWorks\OBC.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-21 14:51:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2007-12-21 14:52:16


    Al vast ontzettend bedankt
  • Hoi tonlab,

    Die infectie lijkt al volledig verwijderd door RVAXO.
    Daarom mag je RVAXO uninstall.cmd dubbelklikken in de RVAXO map op je bureaublad.

    Misschien heb je nog restanten van een LOP-infectie op je Systeem.
    Doe dit eens:
    Download dit bestand: [b:03006a1706]Deljob.exe[/b:03006a1706] (mirror)
    Plaats het op je bureaublad.
    Indien je virusscanner de download van deljob.exe blokkeert,
    schakel dan tijdelijk je virusscanner uit of download de zip-versie
    deljob.zip en pak deze uit naar je Bureaublad.
    Dubbelklik Deljob.exe.
    Een logje(logit.txt) zal openen, het bestandje kan je ook terugvinden op je bureaublad.
    Post de inhoud van [b:03006a1706]logit.txt[/b:03006a1706] in je volgende bericht.
  • Smeenk,

    Deljob.exe geeft de volgende log:

    ——————————————————–
    No LOP job-files found
    ——————————————————–
    Files in Windows Tasks folder

    Check Updates for Windows Live Toolbar.job
    Norton AntiVirus - Volledige systeemscan - Ton van Doorn.job
    Norton SystemWorks One Button Checkup.job
    ——————————————————–
    Export App Data folders

    Het volume in station C heeft geen naam.
    Het volumenummer is 94AE-E02C

    Map van C:\Documents and Settings\Ton van Doorn\Application Data

    21-12-2007 14:51 <DIR> .
    21-12-2007 14:51 <DIR> ..
    12-12-2006 20:29 <DIR> Ahead
    12-11-2006 09:12 <DIR> CYBERL~1 CyberLink
    27-01-2007 13:32 <DIR> DivX
    04-04-2007 21:00 <DIR> EPSON
    17-11-2006 19:33 <DIR> Help
    23-11-2007 21:35 <DIR> ICACLI~1 ICAClient
    24-10-2006 14:09 <DIR> IDENTI~1 Identities
    21-12-2007 13:55 <DIR> K9
    29-04-2007 14:28 <DIR> MACROM~1 Macromedia
    19-05-2007 18:00 <DIR> MICROS~1 Microsoft
    28-10-2006 20:25 <DIR> MSN6
    08-11-2006 20:51 <DIR> Shareaza
    10-01-2007 21:25 <DIR> Sun
    21-12-2007 10:03 <DIR> Symantec
    26-10-2007 17:50 <DIR> Vso
    0 bestand(en) 0 bytes
    17 map(pen) 4.654.788.608 bytes beschikbaar
    Het volume in station C heeft geen naam.
    Het volumenummer is 94AE-E02C

    Map van C:\Documents and Settings\All Users\Application Data

    21-12-2007 10:24 <DIR> .
    21-12-2007 10:24 <DIR> ..
    12-11-2006 09:10 <DIR> CYBERL~1 CyberLink
    11-12-2007 21:33 <DIR> DVDSHR~1 DVD Shrink
    19-12-2007 21:40 <DIR> Google
    19-12-2007 18:55 <DIR> Grisoft
    21-11-2006 10:24 <DIR> Kodak
    16-12-2006 21:41 <DIR> MICROS~1 Microsoft
    28-10-2006 20:22 <DIR> MSN6
    17-01-2007 13:29 <DIR> NVIDIA
    21-12-2007 10:24 <DIR> pdf995
    03-11-2006 19:49 <DIR> QUICKT~1 QuickTime
    19-12-2007 23:25 <DIR> Symantec
    02-12-2006 16:48 <DIR> UDL
    15-09-2007 20:53 <DIR> vsosdk
    27-01-2007 14:03 <DIR> WINDOW~2 Windows Genuine Advantage
    01-11-2006 11:03 <DIR> WINDOW~1 Windows Live Toolbar
    0 bestand(en) 0 bytes
    17 map(pen) 4.654.788.608 bytes beschikbaar
    Het volume in station C heeft geen naam.
    Het volumenummer is 94AE-E02C

    Map van C:\WINDOWS

    ——————————————————–

    Alvast weer bedankt wat moeten wij zonder jullie "oude rotten"

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.