Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Trojan horse BHO.CVX

Anoniem
pimvandenderen
18 antwoorden
  • De laatse tijd heb ik om de paar minuten de volgende AVG "Threat Detected" melding: Trojan horse BHO.CVX.
    Wie kan mij hier vanaf helpen?

    Bijvoorbaat dank,

    Yo!
  • Download Hijackthis-setup naar je [u:22e29809f3]Bureaublad[/u:22e29809f3].

    Open HJTInstall en bepaal de locatie waar je Hijackthis wilt installeren.
    Druk vervolgens op Install, na enkele seconde zal Hijackthis automatisch openen.
    Kies nu voor [b:22e29809f3]'Do a system scan and save a logfile'[/b:22e29809f3].
    Er opent een kladblok bestand met een logfile. Selecteer deze tekst helemaal ([b:22e29809f3]ctrl-A[/b:22e29809f3]), kopieer ([b:22e29809f3]ctrl C[/b:22e29809f3]) en plak deze tekst in je volgende bericht.

    Succes! 8)

    Pim
  • Hierbij het Hijack this log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 22:20:42, on 3-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINPAT~1\WinPatrol.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    F2 - REG:system.ini: UserInit=userinit.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe
    O4 - HKLM\..\Run: [windle] windle.exe
    O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe
    O4 - HKLM\..\RunServices: [] AWG.exe
    O4 - HKLM\..\RunServices: [windle] windle.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe


    End of file - 6368 bytes

  • Start Hijackthis, kies voor 'do a system scan only' en vink onderstaande regels aan:
    [b:72566776da]
    F2 - REG:system.ini: UserInit=userinit.exe,
    O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe
    O4 - HKLM\..\Run: [windle] windle.exe
    O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe
    O4 - HKLM\..\RunServices: [] AWG.exe
    O4 - HKLM\..\RunServices: [windle] windle.exe
    O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user')
    O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB
    [/b:72566776da]
    Sluit alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked'

    Download [b:72566776da]Combofix[/b:72566776da] naar je [b:72566776da]bureaublad[/b:72566776da]

    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:72566776da]download Combofix opnieuw[/b:72566776da]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

    Dubbelklik op [u:72566776da]combofix.exe[/u:72566776da]
    Kies voor "Continue" door [b:72566776da]1[/b:72566776da] te typen gevolgd door [b:72566776da]ENTER[/b:72566776da].
    Tijdens het runnen van de fix, [b:72566776da]NIET[/b:72566776da] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:72566776da]combofix.txt[/b:72566776da] openen.
    [i:72566776da]Plaats in je volgende antwoord het logje van combofix (combofix.txt) tesamen met een vers Hijackthis log. [/i:72566776da]

    Succes!
    Pim
  • Hier is het ComboFix log:

    ComboFix 08-01-03.4 - Adri 2008-01-03 22:48:24.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.76 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))
    .

    2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-03 21:46 . 2008-01-03 22:21 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
    2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
    2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
    2007-12-12 12:34 . 2007-12-12 12:34 427,016 –a—— C:\wingkka.exe
    2007-12-07 13:11 . 19,456 C:\WINDOWS\system32\drivers\kwklkwot.dat
    2007-12-04 13:45 . 2007-12-04 13:45 116,480 –a—— C:\WINDOWS\system32\sxtznrle.dat
    2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d——– C:\WINDOWS\system32\AppCert
    2007-12-04 13:35 . 2001-09-07 13:00 84,480 –a—— C:\WINDOWS\system32\dsauthw.dll.bak
    2007-12-04 13:35 . 2007-12-04 13:35 16,384 –a—— C:\WINDOWS\system32\t4isiu0.exe
    2007-12-04 13:34 . 2001-09-07 13:00 84,992 –a—— C:\WINDOWS\system32\EqnClassj.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-03 19:56 ——— d—–w C:\Program Files\Google
    2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
    2007-12-23 21:51 ——— d—–w C:\Program Files\kari
    2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
    2007-12-01 19:18 680,105 —-a-w C:\zena.exe
    2007-12-01 19:18 ——— d—–w C:\Program Files\dfsdfsd
    2007-12-01 19:17 991,304 —-a-w C:\z3na.exe
    2007-11-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-13 14:10 38,649 —-a-w C:\WINDOWS\system32\kl.exe
    2007-11-11 11:44 171,008 —-a-w C:\WINDOWS\system32\avvg.exe
    2007-11-09 15:22 78,336 –sha-w C:\WINDOWS\system32\irdvxc.exe
    2007-11-09 13:38 ——— d—–w C:\Program Files\Java
    2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
    2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
    2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
    2001-09-07 12:00 169,984 –sh–r C:\WINDOWS\system32\fixy.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}]
    2001-09-07 13:00 84992 –a—— C:\WINDOWS\system32\EqnClassj.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
    "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
    "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Machine"="Linux.exe" []
    "MSN UPDATERS"="virtualmemory.exe" []
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
    "Internet Security Service "="msq23.exe" []

    R0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
    R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
    R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe [2001-08-06 06:41]
    S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" []
    S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe []
    S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22]
    S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-03 22:50:47
    Windows 5.1.2600 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-03 22:52:20
    ComboFix2.txt 2007-12-23 21:15:05

    En het verse Hijack this log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 23:01:36, on 3-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINPAT~1\WinPatrol.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] Linux.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Machine] Linux.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe


    End of file - 5500 bytes


  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:cb31514819]
    File::
    C:\wingkka.exe
    C:\WINDOWS\system32\drivers\kwklkwot.dat
    C:\WINDOWS\system32\sxtznrle.dat
    C:\WINDOWS\system32\dsauthw.dll.bak
    C:\WINDOWS\system32\t4isiu0.exe
    C:\WINDOWS\system32\EqnClassj.dll
    C:\zena.exe
    C:\z3na.exe
    C:\WINDOWS\system32\fixy.exe
    C:\WINDOWS\system32\kl.exe
    C:\WINDOWS\system32\avvg.exe

    Folder::
    C:\Program Files\dfsdfsd

    Driver::
    kwklkwot

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Machine"=-
    "MSN UPDATERS"=-
    "Internet Security Service"=-
    [/b:cb31514819]
    Sla dit op op je Bureaublad als [b:cb31514819]CFScript.txt[/b:cb31514819]

    Sleep [b:cb31514819]CFScript.txt[/b:cb31514819] in [b:cb31514819]ComboFix.exe[/b:cb31514819] zoals getoond in onderstaand voorbeeld :

    [img:cb31514819]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:cb31514819]

    Dit zal [b:cb31514819]ComboFix[/b:cb31514819] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:cb31514819]Combofix.txt[/b:cb31514819] in je volgende antwoord samen met een nieuw HijackThislogje.

    Hoe is het met je problemen?

    Succes!
    Pim
  • Het zaakje is na veel (reparatie)tijd opnieuw opgestart en ik heb de melding nog niet weer gehad, dus het lijkr erop dat het paard weg is.
    Hier nog ff wat logjes:

    ComboFix 08-01-03.4 - Adri 2008-01-04 19:31:50.4 - NTFSx86
    Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE
    C:\WINDOWS\system32\avvg.exe
    C:\WINDOWS\system32\drivers\kwklkwot.dat
    C:\WINDOWS\system32\dsauthw.dll.bak
    C:\WINDOWS\system32\EqnClassj.dll
    C:\WINDOWS\system32\fixy.exe
    C:\WINDOWS\system32\kl.exe
    C:\WINDOWS\system32\sxtznrle.dat
    C:\WINDOWS\system32\t4isiu0.exe
    C:\wingkka.exe
    C:\z3na.exe
    C:\zena.exe
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\dfsdfsd
    C:\Program Files\dfsdfsd\aliases.ini
    C:\Program Files\dfsdfsd\cult.exe
    C:\Program Files\dfsdfsd\gt.x
    C:\Program Files\dfsdfsd\kiss.exe
    C:\Program Files\dfsdfsd\knlps.sys
    C:\Program Files\dfsdfsd\ksat.bat
    C:\Program Files\dfsdfsd\law.x
    C:\Program Files\dfsdfsd\lovely.sys
    C:\Program Files\dfsdfsd\mirc.ini
    C:\Program Files\dfsdfsd\murd3r
    C:\Program Files\dfsdfsd\orrl.exe
    C:\Program Files\dfsdfsd\pingy.exe
    C:\Program Files\dfsdfsd\ps2m.exe
    C:\Program Files\dfsdfsd\remote.ini
    C:\Program Files\dfsdfsd\repcale.exe
    C:\Program Files\dfsdfsd\w.e
    C:\WINDOWS\system32\avvg.exe
    C:\WINDOWS\system32\drivers\kwklkwot.dat
    C:\WINDOWS\system32\dsauthw.dll.bak
    C:\WINDOWS\system32\EqnClassj.dll
    C:\WINDOWS\system32\fixy.exe
    C:\WINDOWS\system32\kl.exe
    C:\WINDOWS\system32\sxtznrle.dat
    C:\WINDOWS\system32\t4isiu0.exe
    C:\wingkka.exe
    C:\z3na.exe
    C:\zena.exe

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-04 to 2008-01-04 ))))))))))))))))))))))))))))))
    .

    2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\ujvm.exe
    2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\boqn.exe
    2008-01-04 19:26 . 2008-01-04 19:26 20,819 –a—— C:\WINDOWS\system32
    schl.exe
    2008-01-04 19:26 . 2008-01-04 19:26 20,819 –a—— C:\WINDOWS\system32\fswb.exe
    2008-01-04 17:01 . 2008-01-04 17:01 45,568 –a—— C:\WINDOWS\system32\jwbftp.exe
    2008-01-04 17:01 . 2008-01-04 17:01 20,819 –a—— C:\WINDOWS\system32\tkmoky.exe
    2008-01-04 16:59 . 2008-01-04 16:59 45,568 –a—— C:\WINDOWS\system32\ebwtupn.exe
    2008-01-04 16:59 . 2008-01-04 16:59 20,819 –a—— C:\WINDOWS\system32\kyhecd.exe
    2008-01-04 15:30 . 2008-01-04 15:30 45,568 –a—— C:\WINDOWS\system32\fwkxx.exe
    2008-01-04 15:30 . 2008-01-04 15:30 20,819 –a—— C:\WINDOWS\system32\xdflcbmr.exe
    2008-01-04 15:28 . 2008-01-04 15:28 45,568 –a—— C:\WINDOWS\system32\ivvx.exe
    2008-01-04 15:28 . 2008-01-04 15:28 20,819 –a—— C:\WINDOWS\system32\xxwdl.exe
    2008-01-04 13:06 . 2008-01-04 13:06 45,568 –a—— C:\WINDOWS\system32\jtuf.exe
    2008-01-04 13:06 . 2008-01-04 13:06 20,819 –a—— C:\WINDOWS\system32\sgptbq.exe
    2008-01-04 13:04 . 2008-01-04 13:04 45,568 –a—— C:\WINDOWS\system32\bwqfvg.exe
    2008-01-04 13:04 . 2008-01-04 13:04 20,819 –a—— C:\WINDOWS\system32\dxts.exe
    2008-01-04 12:56 . 2008-01-04 12:56 45,568 –a—— C:\WINDOWS\system32\zvozaygf.exe
    2008-01-04 12:56 . 2008-01-04 12:56 45,568 –a—— C:\WINDOWS\system32\huwpggf.exe
    2008-01-04 12:56 . 2008-01-04 12:56 20,819 –a—— C:\WINDOWS\system32\uxshewz.exe
    2008-01-04 12:56 . 2008-01-04 12:56 20,819 –a—— C:\WINDOWS\system32\umnlzev.exe
    2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-03 21:46 . 2008-01-04 19:29 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
    2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
    2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
    2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d——– C:\WINDOWS\system32\AppCert

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-03 19:56 ——— d—–w C:\Program Files\Google
    2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
    2007-12-23 21:51 ——— d—–w C:\Program Files\kari
    2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
    2007-11-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
    2007-11-09 15:22 78,336 –sha-w C:\WINDOWS\system32\irdvxc.exe
    2007-11-09 13:38 ——— d—–w C:\Program Files\Java
    2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
    2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
    2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2001-09-07 12:00:00 82,944 —h–w C:\WINDOWS\system32\algs.exe
    + 2001-09-07 12:00:00 108,544 —h–w C:\WINDOWS\system32\spoolsvc.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
    "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
    "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
    "Spooler SubSystem App"="C:\WINDOWS\System32\spoolsvc.exe" [2001-09-07 13:00 108544]
    "Application Layer Gateway Service"="C:\WINDOWS\System32\algs.exe" [2001-09-07 13:00 82944]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
    "Internet Security Service "="msq23.exe" []

    R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
    R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe [2001-08-06 06:41]
    S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
    S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" []
    S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe []
    S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22]
    S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-04 19:50:13
    Windows 5.1.2600 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    C:\WINDOWS\system32\uuak.exe 45568 bytes executable
    **************************************************************************
    .
    Voltooingstijd: 2008-01-04 19:54:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-04 18:53:13
    ComboFix2.txt 2008-01-04 18:21:11
    ComboFix3.txt 2008-01-03 21:52:21
    ComboFix4.txt 2007-12-23 21:15:05

    En:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 19:59:16, on 4-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINPAT~1\WinPatrol.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\algs.exe
    C:\WINDOWS\System32\spoolsvc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe


    End of file - 6098 bytes



  • Nog niet schoon :cry:

    Download SDFix naar je [b:c11de7afce]Bureaublad[/b:c11de7afce].

    Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:c11de7afce]SDFix[/u:c11de7afce].
    Start je computer op in veilige modus.
    Open de map SDfix en dubbelklik op [b:c11de7afce]runthis.bat[/b:c11de7afce] om de tool te starten.
    Computer laten herstarten wanneer dit gevraagd wordt.
    SDfix loopt verder en opent na afloop een rapportje!
    Post dit rapport in je volgende antwoord samen met een nieuw Hijackthis logje.

    Pim
  • Ik ben bezig met uitvoeren SDFIX maar nadat hij opnieuw is opgestart loopt hij nu al een uur ongeveer met als tekst in het venster zoiets van: Register aan het repareren, even wachten a.u.b.
    Dit schiet niet echt op.
  • Voer je SDFix wel uit in Veilige modus? Anders zal deze inderdaad niet werken.

    1. Print deze instructies even uit of sla ze op in een kladblok bestand, je moet dadelijk
    in veilige modus gaan werken en daar kan je deze pagina niet terugvinden.

    2. Start je computer op in veilige modus:
    http://users.telenet.be/marcvn/spyware/1378056.htm

    3. Start Hijackthis, kies voor 'Do a system scan only' en vink onderstaande regels aan:
    [b:8ad24f4a8e]
    O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
    O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
    O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
    [/b:8ad24f4a8e]
    Sluit nu alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked'

    4. Verwijder onderstaande bestanden:
    C:\WINDOWS\System32\[b:8ad24f4a8e]algs.exe [/b:8ad24f4a8e]
    C:\WINDOWS\System32\[b:8ad24f4a8e]spoolsvc.exe[/b:8ad24f4a8e]
    [i:8ad24f4a8e]Let op de bestandsnamen, deze lijken erg op de windows legieme bestandsnamen![/i:8ad24f4a8e]

    Verwijder ook nog:
    C:\WINDOWS\system32\ujvm.exe
    C:\WINDOWS\system32\boqn.exe
    C:\WINDOWS\system32
    schl.exe
    C:\WINDOWS\system32\fswb.exe
    C:\WINDOWS\system32\jwbftp.exe
    C:\WINDOWS\system32\tkmoky.exe
    C:\WINDOWS\system32\ebwtupn.exe
    C:\WINDOWS\system32\kyhecd.exe
    C:\WINDOWS\system32\fwkxx.exe
    C:\WINDOWS\system32\xdflcbmr.exe
    C:\WINDOWS\system32\ivvx.exe
    C:\WINDOWS\system32\xxwdl.exe
    C:\WINDOWS\system32\jtuf.exe
    C:\WINDOWS\system32\sgptbq.exe
    C:\WINDOWS\system32\bwqfvg.exe
    C:\WINDOWS\system32\dxts.exe
    C:\WINDOWS\system32\zvozaygf.exe
    C:\WINDOWS\system32\huwpggf.exe
    C:\WINDOWS\system32\uxshewz.exe
    C:\WINDOWS\system32\umnlzev.exe

    5.Leeg je Temp-mappen (Let op : de mappen [u:8ad24f4a8e]leegmaken[/u:8ad24f4a8e], niet verwijderen !!):


    C:\Windows\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e]
    C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e]
    C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temporary Internet Files[/b:8ad24f4a8e]
    C:\Documents and Settings\<profielnaam>\Local Settings\Temporary Internet Files\[b:8ad24f4a8e]content.ie5[/b:8ad24f4a8e]
    Als de laatste map niet wordt weergegeven, ga dan naar de map Temporary Internet Files en type er [b:8ad24f4a8e]\content.ie5[/b:8ad24f4a8e] achter in de adresbalk en klik enter.

    Maak je prullenbak leeg.

    6. Laat nu SDfix opnieuw lopen.
    Na herstart, maak een nieuw Combofix logje en post deze, samen met het SDfix logje in je volgende bericht.

    Succes!
    Pim :)
  • O.k. daar zijn we weer…
    SDFix is gisteren toch voltooid na +/- 4 uur, hieronder het logje + ComboFix log na je instructies te hebben uitgevoerd.
    Een paar bestanden waren niet te vinden, de rest is verwijderd.

    ComboFix 08-01-03.4 - Adri 2008-01-06 16:54:21.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.72 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
    .

    2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d——– C:\WINDOWS\ERUNT
    2008-01-05 12:51 . 2008-01-05 12:51 45,568 –a—— C:\WINDOWS\system32\onmzwt.exe
    2008-01-05 12:51 . 2008-01-05 12:51 20,819 –a—— C:\WINDOWS\system32\aduzqsx.exe
    2008-01-05 12:49 . 2008-01-05 12:49 45,568 –a—— C:\WINDOWS\system32\ihkjq.exe
    2008-01-05 12:49 . 2008-01-05 12:49 20,819 –a—— C:\WINDOWS\system32\lcbabi.exe
    2008-01-04 19:51 . 2008-01-04 19:51 45,568 –a—— C:\WINDOWS\system32\uuak.exe
    2008-01-04 19:51 . 2008-01-04 19:51 20,819 –a—— C:\WINDOWS\system32\zoicdvee.exe
    2008-01-04 19:50 . 2008-01-04 19:50 45,568 –a—— C:\WINDOWS\system32\xblibm.exe
    2008-01-04 19:50 . 2008-01-04 19:50 20,819 –a—— C:\WINDOWS\system32\atxgll.exe
    2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\ujvm.exe
    2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-03 21:46 . 2008-01-06 16:26 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
    2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
    2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-06 07:24 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-03 19:56 ——— d—–w C:\Program Files\Google
    2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
    2007-12-23 21:51 ——— d—–w C:\Program Files\kari
    2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
    2007-11-09 13:38 ——— d—–w C:\Program Files\Java
    2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
    2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
    2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-01-05 16:23:15 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT
    + 2008-01-05 16:23:15 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat
    + 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-01-05 15:19:34 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT
    + 2008-01-05 15:19:34 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
    "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
    "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2001-09-07 13:00 147456]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
    "Internet Security Service "="msq23.exe" []

    R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
    R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe [2001-08-06 06:41]
    S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-06 16:55:49
    Windows 5.1.2600 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-06 16:56:46
    ComboFix-quarantined-files.txt 2008-01-06 15:56:25
    ComboFix2.txt 2008-01-04 18:54:14
    ComboFix3.txt 2008-01-04 18:21:11
    ComboFix4.txt 2008-01-03 21:52:21
    ComboFix5.txt 2007-12-23 21:15:05

    SDFix: Version 1.124

    Run by Adri on za 05-01-2008 at 17:23

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\DOWNLO~1\TIJDEL~1\SDFix

    Safe Mode:
    Checking Services:

    Name:
    EnGenius Network Analysis Tool
    INService
    MSDisk
    MSWindows

    Path:

    EnGenius Network Analysis Tool - Deleted
    INService - Deleted
    MSDisk - Deleted
    MSWindows - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\DP.EXE - Deleted
    C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
    C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
    C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted
    C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted
    C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted
    C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted
    C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted
    C:\WINDOWS\system32\261.tmp - Deleted
    C:\WINDOWS\system32\algs.exe - Deleted
    C:\WINDOWS\system32\irdvxc.exe - Deleted
    C:\WINDOWS\system32\spoolsvc.exe - Deleted
    C:\WINDOWS\system32\TFTP1424 - Deleted
    C:\WINDOWS\system32\TFTP1644 - Deleted
    C:\WINDOWS\system32\TFTP2092 - Deleted
    C:\WINDOWS\system32\TFTP2108 - Deleted
    C:\WINDOWS\system32\TFTP220 - Deleted
    C:\WINDOWS\system32\TFTP2404 - Deleted
    C:\WINDOWS\system32\TFTP2908 - Deleted
    C:\WINDOWS\system32\TFTP3192 - Deleted
    C:\WINDOWS\system32\TFTP3328 - Deleted
    C:\WINDOWS\system32\TFTP3336 - Deleted
    C:\WINDOWS\system32\TFTP3384 - Deleted
    C:\WINDOWS\system32\TFTP3760 - Deleted
  • Het begint er steeds beter uit te zien! Zou je nog eens kunnen controleren ofdat je het volledige
    rapport van SDfix hebt geplaatst, deze lijkt mij niet volledig.

    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:6f7687367d]
    File::
    C:\WINDOWS\system32\onmzwt.exe
    C:\WINDOWS\system32\aduzqsx.exe
    C:\WINDOWS\system32\ihkjq.exe
    C:\WINDOWS\system32\lcbabi.exe
    C:\WINDOWS\system32\uuak.exe
    C:\WINDOWS\system32\zoicdvee.exe
    C:\WINDOWS\system32\xblibm.exe
    C:\WINDOWS\system32\atxgll.exe
    C:\WINDOWS\system32\ujvm.exe
    C:\WINDOWS\System32\drivers\kwklkwot.dat

    Driver::
    kwklkwot

    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Internet Security Service "=-
    [/b:6f7687367d]
    Sla dit op op je Bureaublad als [b:6f7687367d]CFScript.txt[/b:6f7687367d]

    Sleep [b:6f7687367d]CFScript.txt[/b:6f7687367d] in [b:6f7687367d]ComboFix.exe[/b:6f7687367d] zoals getoond in onderstaand voorbeeld :

    [img:6f7687367d]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6f7687367d]

    Dit zal [b:6f7687367d]ComboFix[/b:6f7687367d] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:6f7687367d]Combofix.txt[/b:6f7687367d] in je volgende antwoord samen met een nieuw HijackThislogje.

    Succes!
    Pim
  • Hierbij nogmaals hopelijk het gehele SDFix rapport + Combofix log + Hijackthis log:

    SDFix: Version 1.124

    Run by Adri on za 05-01-2008 at 17:23

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\DOWNLO~1\TIJDEL~1\SDFix

    Safe Mode:
    Checking Services:

    Name:
    EnGenius Network Analysis Tool
    INService
    MSDisk
    MSWindows

    Path:

    EnGenius Network Analysis Tool - Deleted
    INService - Deleted
    MSDisk - Deleted
    MSWindows - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\DP.EXE - Deleted
    C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
    C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
    C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted
    C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted
    C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted
    C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted
    C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted
    C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted
    C:\WINDOWS\system32\261.tmp - Deleted
    C:\WINDOWS\system32\algs.exe - Deleted
    C:\WINDOWS\system32\irdvxc.exe - Deleted
    C:\WINDOWS\system32\spoolsvc.exe - Deleted
    C:\WINDOWS\system32\TFTP1424 - Deleted
    C:\WINDOWS\system32\TFTP1644 - Deleted
    C:\WINDOWS\system32\TFTP2092 - Deleted
    C:\WINDOWS\system32\TFTP2108 - Deleted
    C:\WINDOWS\system32\TFTP220 - Deleted
    C:\WINDOWS\system32\TFTP2404 - Deleted
    C:\WINDOWS\system32\TFTP2908 - Deleted
    C:\WINDOWS\system32\TFTP3192 - Deleted
    C:\WINDOWS\system32\TFTP3328 - Deleted
    C:\WINDOWS\system32\TFTP3336 - Deleted
    C:\WINDOWS\system32\TFTP3384 - Deleted
    C:\WINDOWS\system32\TFTP3760 - Deleted




    Removing Temp Files…

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32
    toskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-05 18:26:59
    Windows 5.1.2600 NTFS

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?]
    "Type"=dword:00000110
    "Start"=dword:00000004
    "ErrorControl"=dword:00000000
    "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
    "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
    "ObjectName"="LocalSystem"
    "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
    "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?]
    "Type"=dword:00000110
    "Start"=dword:00000004
    "ErrorControl"=dword:00000000
    "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
    "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
    "ObjectName"="LocalSystem"
    "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
    "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    scanning hidden registry entries …

    scanning hidden files …


    scan completed successfully
    hidden processes: 0
    hidden services: 1
    hidden files: 0


    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    —————

    File Backups: - C:\DOWNLO~1\TIJDEL~1\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Sat 2 Nov 2002 134 ..SH. — "C:\AUTOEXEC.BAK"
    Wed 5 May 1999 96,546 ..SH. — "C:\COMMAND.COM"
    Sat 2 Nov 2002 1,676 A.SHR — "C:\MSDOS.BAK"
    Sat 2 Nov 2002 7,809 ..SH. — "C:\SUHDLOG.BAK"
    Wed 5 May 1999 53,248 A..H. — "C:\Program Files\Accessories\mspcx32.dll"
    Sat 9 Oct 2004 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Mon 11 Aug 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
    Sun 16 Feb 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
    Sun 16 Feb 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
    Mon 11 Aug 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"

    Finished!

    ComboFix 08-01-03.4 - Adri 2008-01-07 16:18:24.6 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.119 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt

    FILE
    C:\WINDOWS\system32\aduzqsx.exe
    C:\WINDOWS\system32\atxgll.exe
    C:\WINDOWS\System32\drivers\kwklkwot.dat
    C:\WINDOWS\system32\ihkjq.exe
    C:\WINDOWS\system32\lcbabi.exe
    C:\WINDOWS\system32\onmzwt.exe
    C:\WINDOWS\system32\ujvm.exe
    C:\WINDOWS\system32\uuak.exe
    C:\WINDOWS\system32\xblibm.exe
    C:\WINDOWS\system32\zoicdvee.exe
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\aduzqsx.exe
    C:\WINDOWS\system32\atxgll.exe
    C:\WINDOWS\system32\ihkjq.exe
    C:\WINDOWS\system32\lcbabi.exe
    C:\WINDOWS\system32\onmzwt.exe
    C:\WINDOWS\system32\ujvm.exe
    C:\WINDOWS\system32\uuak.exe
    C:\WINDOWS\system32\xblibm.exe
    C:\WINDOWS\system32\zoicdvee.exe

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))
    .

    2008-01-06 17:04 . 2008-01-07 16:13 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
    2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d——– C:\WINDOWS\ERUNT
    2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
    2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-06 07:24 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
    2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-03 19:56 ——— d—–w C:\Program Files\Google
    2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
    2007-12-23 21:51 ——— d—–w C:\Program Files\kari
    2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
    2007-11-09 13:38 ——— d—–w C:\Program Files\Java
    2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
    2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
    2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-01-05 16:23:15 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT
    + 2008-01-05 16:23:15 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat
    + 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-01-05 15:19:34 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT
    + 2008-01-05 15:19:34 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
    "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
    "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]

    R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
    R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe [2001-08-06 06:41]
    S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-07 16:24:38
    Windows 5.1.2600 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-07 16:25:28
    ComboFix-quarantined-files.txt 2008-01-07 15:25:08
    ComboFix2.txt 2008-01-06 15:56:47
    ComboFix3.txt 2008-01-04 18:54:14
    ComboFix4.txt 2008-01-04 18:21:11
    ComboFix5.txt 2008-01-03 21:52:21

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 16:37:15, on 7-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINPAT~1\WinPatrol.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe


    End of file - 5753 bytes



  • Download de nieuwste versie van Hijackthis:
    http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

    Download: RVAXO.exe
    Sla het bestand op je bureaublad op, daarna mag je het dubbelklikken.
    Je kunt het programma laten uitpakken naar je bureaublad.
    Open nu de map RVAXO op je bureaublad en dubbelklik [b:bf556c9481]RVAXO.cmd[/b:bf556c9481]
    Er zal een schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    [b:bf556c9481]Mogelijk[/b:bf556c9481] start er ook een uninstaller van een rogue scanner op, [b:bf556c9481]sluit deze niet[/b:bf556c9481] af maar volg eventuele aanwijzingen en laat deze zijn werk doen.
    Daarna zal je PC herstarten, na de herstart opent het venster van RVAXO opnieuw.
    Laat deze lopen en wacht tot er een logfile opent.
    Deze is eventueel ook hier te vinden: C:\[b:bf556c9481]RVAXO-results.log[/b:bf556c9481]
    Post de inhoud in je volgende bericht tesamen met een nieuw logje van HijackThis.

    Herstarte je PC niet?

    Laat RVAXO nog een keer lopen en post dan het nieuwe logje: [b:bf556c9481]C:\rvaxo-results.log[/b:bf556c9481]

    Ga daarna naar de Windows Update site en haal SP1 minimaal binnen.
    Herstart je PC in veilige modus en maak een nieuw logje met SDfix.

    Plaats deze samen met het logje van RVAXO.

    Pim
  • Hier weer wat nieuwe logjes.


    SDFix: Version 1.124

    Run by Adri on di 08-01-2008 at 16:30

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\DOWNLO~1\TIJDEL~1\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    No Trojan Files Found





    Removing Temp Files…

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32
    toskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-08 16:58:34
    Windows 5.1.2600 NTFS

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?]
    "Type"=dword:00000110
    "Start"=dword:00000004
    "ErrorControl"=dword:00000000
    "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
    "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
    "ObjectName"="LocalSystem"
    "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
    "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?]
    "Type"=dword:00000110
    "Start"=dword:00000004
    "ErrorControl"=dword:00000000
    "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
    "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
    "ObjectName"="LocalSystem"
    "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
    "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

    scanning hidden registry entries …

    scanning hidden files …

    IPC error: 2 Het systeem kan het opgegeven bestand niet vinden.

    scan completed successfully
    hidden processes: 0
    hidden services: 1
    hidden files: 0


    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    —————


    Files with Hidden Attributes:

    Sat 2 Nov 2002 134 ..SH. — "C:\AUTOEXEC.BAK"
    Wed 5 May 1999 96,546 ..SH. — "C:\COMMAND.COM"
    Sat 2 Nov 2002 1,676 A.SHR — "C:\MSDOS.BAK"
    Sat 2 Nov 2002 7,809 ..SH. — "C:\SUHDLOG.BAK"
    Wed 5 May 1999 53,248 A..H. — "C:\Program Files\Accessories\mspcx32.dll"
    Sat 9 Oct 2004 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Mon 11 Aug 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
    Sun 16 Feb 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
    Sun 16 Feb 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
    Mon 11 Aug 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"

    Finished!

    —————-RVAXO.exe first run————-

    Files found:


    Uninstallers Rogue scanners:


    Folders Found:


    Hosts-file was reset, If you use a custom hosts file please replace it…

    ————–RVAXO.exe last run—————

    Files found:

    Folders Found:

    ————–RVAXO.exe finished—————-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:09:57, on 8-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    D:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199805747080
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard
    hksrv.exe


    End of file - 5203 bytes


  • Ik zou in elk geval nog de volgende 2 entry's fixen met Hijackthis:
    [b:a91fb7a662]
    O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab

    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe[/b:a91fb7a662]


    Groet, Emiel
  • Dat is wel het minste waar hij zich zorgen om moet maken Emiel :wink:

    Ga naar de windows update website en haal daar alle beschikbare updates binnen. Herstart je PC en post een Hijackthis log ter controle.

    Succes!
    Pim
  • Via de windows update site lukt het niet want het is iets minder legale versie van xp.
    Ik probeer het nu via "offline update" van heise-security, hoop dat dat lukt.
    Maar is verder alle virus en trojan troep eraf nu?
    Ik heb nog wel steeds dat cpu gebruik op 100% staat tot ik het uitschakel met taakbeheer en dan weer start via bestand…. daarna is het normaal.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.