Vraag & Antwoord
Steeds terugkeerende Trojan Horse
28 antwoorden
- Dan is hij al weg :wink:
- Sinds een tijdje krijg ik bijna dagelijks de melding over een Trojan Horse die is gevonden, maar ook al verwijder ik het of plaats ik het in quarantaine met AVG het blijft terugkeren en soms ook in een andere vorm (bijv. UE i.p.v. QU). Als ik de betreffende map wil openen krijg ik de melding dat ik er geen toegang tot heb. Iemand een idee hoe ik er vanaf kom?
[b:3be4da37f9]Details:[/b:3be4da37f9]
2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP1010\A0153876.exe
2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS @EID_Id_trj
2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS BackDoor.Bifrose.QU
2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP1010\A0153876.exe
2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS @EID_Id_trj
2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS BackDoor.Bifrose.QU
[b:3be4da37f9]HijackThis logfile[/b:3be4da37f9]
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:17:18, on 2-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Eigenaar\Mijn documenten\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 8194 bytes - Geen idee hoe het komt, maar deze is dubbel.
- [quote:5e98508b8d="Stefan NL"]Geen idee hoe het komt, maar deze is dubbel.[/quote:5e98508b8d]
Nu niet meer… :wink: - Je gebruikt een verouderde versie van Hijackthis, download deze versie en gebruik vanaf nu
deze versie: http://nucia.nl/forum/showthread.php?t=28820
Download [b:1c5c327f09]Combofix[/b:1c5c327f09] naar je [b:1c5c327f09]bureaublad[/b:1c5c327f09]
Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:1c5c327f09]download Combofix opnieuw[/b:1c5c327f09]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op [u:1c5c327f09]combofix.exe[/u:1c5c327f09]
Kies voor "Continue" door [b:1c5c327f09]1[/b:1c5c327f09] te typen gevolgd door [b:1c5c327f09]ENTER[/b:1c5c327f09].
Tijdens het runnen van de fix, [b:1c5c327f09]NIET[/b:1c5c327f09] in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log [b:1c5c327f09]combofix.txt[/b:1c5c327f09] openen.
[i:1c5c327f09]Plaats in je volgende antwoord het logje van combofix (combofix.txt) tesamen met een vers Hijackthis log. [/i:1c5c327f09]
Succes!
Pim - [b:35771332fe]HijackThis logfile:[/b:35771332fe]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:34, on 2-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 7968 bytes
[b:35771332fe]Combofix log:[/b:35771332fe]
ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-02 13:18:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1291 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\setup.exe.tmp
D:\Autorun.inf
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))
.
2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 00:49 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
2007-12-17 23:38 ——— d—–w C:\Program Files\Total Video Converter
2007-12-17 22:17 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 21 (0x15)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
C:\WINDOWS\system32\explorer.exe
.
Inhoud van de 'Gedeelde Taken' map
"2007-12-28 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-12-30 18:19:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-07-23 17:19:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 13:21:35
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-02 13:22:20
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 12:22:08
C:\qoobox\ComboFix2.txt 2006-11-09 18:39:09
.
2007-12-12 21:04:46 — E O F — - Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
[b:de830b002b]
File::
C:\WINDOWS\system32\explorer.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[/b:de830b002b]
Sla dit op op je Bureaublad als [b:de830b002b]CFScript.txt[/b:de830b002b]
Sleep [b:de830b002b]CFScript.txt[/b:de830b002b] in [b:de830b002b]ComboFix.exe[/b:de830b002b] zoals getoond in onderstaand voorbeeld :
[img:de830b002b]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:de830b002b]
Dit zal [b:de830b002b]ComboFix[/b:de830b002b] doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de [b:de830b002b]Combofix.txt[/b:de830b002b] in je volgende antwoord samen met een nieuw HijackThislogje. - [b:8563cc8ba5]HijackThis logfile:[/b:8563cc8ba5]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:32, on 2-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 7892 bytes
[b:8563cc8ba5]Combofix log:[/b:8563cc8ba5]
ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-02 18:19:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1366 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
Command switches used :: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE
C:\WINDOWS\system32\explorer.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))
.
2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 00:49 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
2007-12-17 23:38 ——— d—–w C:\Program Files\Total Video Converter
2007-12-17 22:17 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-02_13.21.48,26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-01 16:23:07 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-02 14:51:34 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 21 (0x15)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
C:\WINDOWS\system32\explorer.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 18:20:48
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-02 18:21:30
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 17:21:22
C:\qoobox\ComboFix2.txt 2008-01-02 12:22:22
C:\qoobox\ComboFix3.txt 2006-11-09 18:39:09
.
2007-12-12 21:04:46 — E O F —
Wat is er nu eigenlijk precies gebeurt en veranderd als ik vragen mag?
- [quote:36106f0558]
Wat is er nu eigenlijk precies gebeurt en veranderd als ik vragen mag?
[/quote:36106f0558]
Je had te maken met enkele trojan horses die op het eerste gezicht niet zichtbaar waren in Hijackthis.
Omdat je toch aangaf problemen te hebben, heb ik dieper gekeken met Combofix, deze heeft er een aantal
verwijderd, daarna nog een paar verwijderd d.m.v. een script, doch is het nog steeds niet helemaal weg!
Download SDFix naar je [b:36106f0558]Bureaublad[/b:36106f0558].
Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:36106f0558]SDFix[/u:36106f0558].
Start je computer op in veilige modus.
Open de map SDfix en dubbelklik op [b:36106f0558]runthis.bat[/b:36106f0558] om de tool te starten.
Computer laten herstarten wanneer dit gevraagd wordt.
SDfix loopt verder en opent na afloop een rapportje!
Post dit rapport in je volgende antwoord.
Succes!
Pim - Ok, dank je. Maar welke waardes zijn dan de Trojans/schadelijke bestanden in die logs nu?
Ik had trouwens wel gemerkt dat een aantal persoonlijk voorkeuren zijn veranderd na die laatste Combofix, waaronder de screensaver. Maar goed, ik zal 't morgen even op m'n gemak doen. Er kan nu trouwens niks meer fout gaan, bijv. dat me systeem crashed of niet meer opstart doordat er iets wordt gewist met die Trojans/schadelijke bestanden? - Er zat iets in het systeemherstel wat moeilijk deed, maar dat is nu verwijderd
De gebruikte tools mag je nu verwijderen.
Verwijder ook deze map: C:\[b:bb9eab9f39]SDfix[/b:bb9eab9f39]
Dan kunnen we het afsluiten denk ik
Pim - Eerst heeft Combofix deze bestanden verwijderd, die waren schadelijk, google er maar eens op :wink:
[b:b42bf9d20a]C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\setup.exe.tmp
D:\Autorun.inf [/b:b42bf9d20a]
Achteraf bleef deze over, te zien in de logfile:
[b:b42bf9d20a]C:\WINDOWS\system32\explorer.exe[/b:b42bf9d20a]
Dit is niet de gebruikelijke explorer.exe van Windows, want die staat in de C:\Windows\ map. Dit is malware die gebruik maken van windows bestandsnamen zodat helpers er snel overheen kijken. Deze wou ik ook laten verwijderen, maar is niet gelukt, want in het laatste logje is hij nog steeds zichtbaar.
SDfix zet ik in omdat deze controleert op andere versies van explorer.exe (malware) en deze verwijderd. Deze zou de laatste infectie dus moeten opruimen :wink:
Pim - [b:d6e807b308]SDFix Report:[/b:d6e807b308]
SDFix: Version 1.122
Run by HP_Eigenaar on do 03-01-2008 at 20:34
Microsoft Windows XP [versie 5.1.2600]
Running From: C:\DOCUME~1\HP_EIG~1\BUREAU~1\SDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files…
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 20:55:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
IPC error: 2 Het systeem kan het opgegeven bestand niet vinden.
scanning hidden services & system hive …
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d3073be]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d3073be]
scanning hidden registry entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
——————
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
—————
Files with Hidden Attributes:
Wed 4 May 2005 213 A.SHR — "C:\BOOT.BAK"
Wed 13 Oct 2004 1,694,208 ..SH. — "C:\Program Files\Messenger\msmsgs.exe"
Fri 15 Jul 2005 22 A.SH. — "C:\WINDOWS\SMINST\HPCD.sys"
Fri 6 May 2005 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 17 Nov 2006 0 A.SH. — "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 24 Sep 2007 0 A..H. — "C:\WINDOWS\SoftwareDistribution\Download\20cc0088cd851a680d48cd7c937fca62\BIT4.tmp"
Wed 6 Jun 2007 0 …H. — "C:\Documents and Settings\HP_Eigenaar\Application Data\Microsoft\Word\~WRL0005.tmp"
Finished! - Vandaag al 7x keer de melding gehad van AVG over de trojan. Elke keer is die even weg en dan komt het weer terug vanuit de map System Volume Information welke niet toegankelijk is. Hoe kom ik er in godsnaam vanaf en ik vraag me eigenlijk af wat voor schade die trojan aanricht of misschien niks aangezien die wordt verwijderd zodra het actief wordt.
- Die trojan die AVG vind zit in je systeemherstel, dat is voor latere zorg.
Momenteel ben ik even aan het overleggen met andere helpers over hoe ik het ga aanpakken, moment geduld aub. - Is er al wat bekend en is er nog meer aan de hand naast het probleem met de systeemherstel? Voor m'n gevoel draait het systeem goed zonder schadelijke troep op de achtergrond. Maar veel verstand heb ik er natuurlijk niet van! :lol:
- Met dank aan Juisterr
Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
[b:65c311f41f]
File::
C:\WINDOWS\system32\explorer.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
[/b:65c311f41f]
Sla dit op op je Bureaublad als [b:65c311f41f]CFScript.txt[/b:65c311f41f]
Sleep [b:65c311f41f]CFScript.txt[/b:65c311f41f] in [b:65c311f41f]ComboFix.exe[/b:65c311f41f] zoals getoond in onderstaand voorbeeld :
[img:65c311f41f]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:65c311f41f]
Dit zal [b:65c311f41f]ComboFix[/b:65c311f41f] doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de [b:65c311f41f]Combofix.txt[/b:65c311f41f] in je volgende antwoord samen met een nieuw HijackThislogje. - [b:47ad14d3be]HijackThis log:[/b:47ad14d3be]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:00, on 6-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
–
End of file - 7849 bytes
[b:47ad14d3be]ComboFix log:[/b:47ad14d3be]
ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-06 18:26:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1414 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
Command switches used :: C:\Documents and Settings\HP_Eigenaar\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE
C:\WINDOWS\system32\explorer.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
.
2008-01-03 20:31 . 2008-01-03 20:32 <DIR> d——– C:\WINDOWS\ERUNT
2008-01-03 20:23 . 2005-01-02 04:04 <DIR> d——– C:\Documents and Settings\Administrator\WINDOWS
2008-01-03 20:23 . 2005-01-01 09:00 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr-h—– C:\Documents and Settings\Administrator\Onlangs geopend
2008-01-03 20:23 . 2004-12-03 19:49 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Mijn documenten
2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Favorieten
2008-01-03 20:23 . 2005-01-02 04:08 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
2008-01-03 20:23 . 2005-01-02 04:19 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-03 20:23 . 2005-01-02 04:12 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-03 20:23 . 2005-01-02 03:59 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-01-03 20:23 . 2005-01-02 04:03 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 02:58 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
2008-01-04 12:15 ——— d—–w C:\Program Files\Total Video Converter
2008-01-04 03:58 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-02_13.21.48,26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-02 02:44:46 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-03 19:32:54 11,382,784 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000001\NTUSER.DAT
+ 2008-01-03 19:32:55 262,144 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000002\UsrClass.dat
+ 2008-01-02 02:44:46 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-03 19:32:11 11,382,784 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000001\NTUSER.DAT
+ 2008-01-03 19:32:12 262,144 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000002\UsrClass.dat
- 2008-01-01 16:23:07 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
+ 2008-01-06 17:23:44 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
- 2007-12-29 16:59:17 7,398,382 —-a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-01-03 16:59:21 7,433,042 —-a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 21 (0x15)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 18:27:47
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-06 18:28:30
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-06 17:28:20
C:\qoobox\ComboFix2.txt 2008-01-02 17:21:31
C:\qoobox\ComboFix3.txt 2008-01-02 12:22:22
C:\qoobox\ComboFix4.txt 2006-11-09 18:39:09
.
2007-12-12 21:04:46 — E O F —
[b:47ad14d3be]Ik weet niet of het informatief is, maar de volgende "explorer.exe"-bestanden zijn aanwezig op mijn systeem:[/b:47ad14d3be]
[img:47ad14d3be]http://img218.imageshack.us/img218/5447/winexploreraq5.gif[/img:47ad14d3be] - Start Hijackthis, kies voor [i:8f19ebef1f]'Do a system scan only'[/i:8f19ebef1f] en vink onderstaande regels aan:
[b:8f19ebef1f]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
[/b:8f19ebef1f]
Sluit nu [u:8f19ebef1f]alle[/u:8f19ebef1f] openstaande vensters, behalve Hijackthis en klik op [b:8f19ebef1f]Fix Checked[/b:8f19ebef1f].
De Java software op je computer is verouderd.
Oudere versies hebben lekken die malware de kans geeft om zich te installeren.
Voer eerst onderstaane stappen uit om Java te deïnstalleren en de nieuwste versie te installeren:
[list:8f19ebef1f]
Download Java Runtime Environment (JRE) 6u3 en bewaar het op je [b:8f19ebef1f]Bureaublad[/b:8f19ebef1f]
Sluit alle programma's die eventueel open zijn - Zeker je web browser!
Ga dan naar [b:8f19ebef1f]Start > Configuratiescherm > Software[/b:8f19ebef1f] en verwijder alle oudere versies van Java uit de Softwarelijst.
Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
Klik dan op [b:8f19ebef1f]Verwijderen[/b:8f19ebef1f] of op de [b:8f19ebef1f]Wijzig/Verwijder[/b:8f19ebef1f] knop.
Herhaal dit tot alle oudere versies verdwenen zijn.
Na het verwijderen van alle oudere versies, [b:8f19ebef1f]herstart[/b:8f19ebef1f] je pc.
Dubbelklik vervolgens op [b:8f19ebef1f]jre-6u3-windows-i586-p.exe[/b:8f19ebef1f] op je Bureaublad om de nieuwste versie van Java te installeren.
[/list:u:8f19ebef1f]
Hoe is het met je problemen?
Pim - Nou, wat ik al eerder zei draait het wel stabieler en heb ik niet idee dat er nog wat schadelijks draait alleen blijft AVG wel nog steeds berichten over die Trojan. Bijna om het uur wel, maar het is wel apart dat die altijd actief wordt als er geen activiteit op het systeem is. Als ik gewoon aan het werk ben krijg ik die melding nooit alleen als ik het systeem even met rust laat wordt het actief en grijpt AVG in. Best apart en het is de eerste keer dat zoiets op me systeem heb. Normaal komt het niet steeds terug! :cry:
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.