Vraag & Antwoord
Trojan horse BHO.CVX
18 antwoorden
- De laatse tijd heb ik om de paar minuten de volgende AVG "Threat Detected" melding: Trojan horse BHO.CVX.
Wie kan mij hier vanaf helpen?
Bijvoorbaat dank,
Yo! - Download Hijackthis-setup naar je [u:22e29809f3]Bureaublad[/u:22e29809f3].
Open HJTInstall en bepaal de locatie waar je Hijackthis wilt installeren.
Druk vervolgens op Install, na enkele seconde zal Hijackthis automatisch openen.
Kies nu voor [b:22e29809f3]'Do a system scan and save a logfile'[/b:22e29809f3].
Er opent een kladblok bestand met een logfile. Selecteer deze tekst helemaal ([b:22e29809f3]ctrl-A[/b:22e29809f3]), kopieer ([b:22e29809f3]ctrl C[/b:22e29809f3]) en plak deze tekst in je volgende bericht.
Succes! 8)
Pim - Hierbij het Hijack this log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:20:42, on 3-1-2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINPAT~1\WinPatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe
O4 - HKLM\..\Run: [windle] windle.exe
O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe
O4 - HKLM\..\RunServices: [] AWG.exe
O4 - HKLM\..\RunServices: [windle] windle.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
–
End of file - 6368 bytes - Start Hijackthis, kies voor 'do a system scan only' en vink onderstaande regels aan:
[b:72566776da]
F2 - REG:system.ini: UserInit=userinit.exe,
O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe
O4 - HKLM\..\Run: [windle] windle.exe
O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe
O4 - HKLM\..\RunServices: [] AWG.exe
O4 - HKLM\..\RunServices: [windle] windle.exe
O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user')
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB
[/b:72566776da]
Sluit alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked'
Download [b:72566776da]Combofix[/b:72566776da] naar je [b:72566776da]bureaublad[/b:72566776da]
Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:72566776da]download Combofix opnieuw[/b:72566776da]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op [u:72566776da]combofix.exe[/u:72566776da]
Kies voor "Continue" door [b:72566776da]1[/b:72566776da] te typen gevolgd door [b:72566776da]ENTER[/b:72566776da].
Tijdens het runnen van de fix, [b:72566776da]NIET[/b:72566776da] in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log [b:72566776da]combofix.txt[/b:72566776da] openen.
[i:72566776da]Plaats in je volgende antwoord het logje van combofix (combofix.txt) tesamen met een vers Hijackthis log. [/i:72566776da]
Succes!
Pim - Hier is het ComboFix log:
ComboFix 08-01-03.4 - Adri 2008-01-03 22:48:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.76 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-03 to 2008-01-03 ))))))))))))))))))))))))))))))
.
2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-03 21:46 . 2008-01-03 22:21 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
2007-12-12 12:34 . 2007-12-12 12:34 427,016 –a—— C:\wingkka.exe
2007-12-07 13:11 . 19,456 C:\WINDOWS\system32\drivers\kwklkwot.dat
2007-12-04 13:45 . 2007-12-04 13:45 116,480 –a—— C:\WINDOWS\system32\sxtznrle.dat
2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d——– C:\WINDOWS\system32\AppCert
2007-12-04 13:35 . 2001-09-07 13:00 84,480 –a—— C:\WINDOWS\system32\dsauthw.dll.bak
2007-12-04 13:35 . 2007-12-04 13:35 16,384 –a—— C:\WINDOWS\system32\t4isiu0.exe
2007-12-04 13:34 . 2001-09-07 13:00 84,992 –a—— C:\WINDOWS\system32\EqnClassj.dll
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 19:56 ——— d—–w C:\Program Files\Google
2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
2007-12-23 21:51 ——— d—–w C:\Program Files\kari
2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
2007-12-01 19:18 680,105 —-a-w C:\zena.exe
2007-12-01 19:18 ——— d—–w C:\Program Files\dfsdfsd
2007-12-01 19:17 991,304 —-a-w C:\z3na.exe
2007-11-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-13 14:10 38,649 —-a-w C:\WINDOWS\system32\kl.exe
2007-11-11 11:44 171,008 —-a-w C:\WINDOWS\system32\avvg.exe
2007-11-09 15:22 78,336 –sha-w C:\WINDOWS\system32\irdvxc.exe
2007-11-09 13:38 ——— d—–w C:\Program Files\Java
2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
2001-09-07 12:00 169,984 –sh–r C:\WINDOWS\system32\fixy.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}]
2001-09-07 13:00 84992 –a—— C:\WINDOWS\system32\EqnClassj.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
"WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine"="Linux.exe" []
"MSN UPDATERS"="virtualmemory.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
"Internet Security Service "="msq23.exe" []
R0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" []
S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe []
S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22]
S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 22:50:47
Windows 5.1.2600 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-03 22:52:20
ComboFix2.txt 2007-12-23 21:15:05
En het verse Hijack this log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:01:36, on 3-1-2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINPAT~1\WinPatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] Linux.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Machine] Linux.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
–
End of file - 5500 bytes - Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
[b:cb31514819]
File::
C:\wingkka.exe
C:\WINDOWS\system32\drivers\kwklkwot.dat
C:\WINDOWS\system32\sxtznrle.dat
C:\WINDOWS\system32\dsauthw.dll.bak
C:\WINDOWS\system32\t4isiu0.exe
C:\WINDOWS\system32\EqnClassj.dll
C:\zena.exe
C:\z3na.exe
C:\WINDOWS\system32\fixy.exe
C:\WINDOWS\system32\kl.exe
C:\WINDOWS\system32\avvg.exe
Folder::
C:\Program Files\dfsdfsd
Driver::
kwklkwot
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine"=-
"MSN UPDATERS"=-
"Internet Security Service"=-
[/b:cb31514819]
Sla dit op op je Bureaublad als [b:cb31514819]CFScript.txt[/b:cb31514819]
Sleep [b:cb31514819]CFScript.txt[/b:cb31514819] in [b:cb31514819]ComboFix.exe[/b:cb31514819] zoals getoond in onderstaand voorbeeld :
[img:cb31514819]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:cb31514819]
Dit zal [b:cb31514819]ComboFix[/b:cb31514819] doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de [b:cb31514819]Combofix.txt[/b:cb31514819] in je volgende antwoord samen met een nieuw HijackThislogje.
Hoe is het met je problemen?
Succes!
Pim - Het zaakje is na veel (reparatie)tijd opnieuw opgestart en ik heb de melding nog niet weer gehad, dus het lijkr erop dat het paard weg is.
Hier nog ff wat logjes:
ComboFix 08-01-03.4 - Adri 2008-01-04 19:31:50.4 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE
C:\WINDOWS\system32\avvg.exe
C:\WINDOWS\system32\drivers\kwklkwot.dat
C:\WINDOWS\system32\dsauthw.dll.bak
C:\WINDOWS\system32\EqnClassj.dll
C:\WINDOWS\system32\fixy.exe
C:\WINDOWS\system32\kl.exe
C:\WINDOWS\system32\sxtznrle.dat
C:\WINDOWS\system32\t4isiu0.exe
C:\wingkka.exe
C:\z3na.exe
C:\zena.exe
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\dfsdfsd
C:\Program Files\dfsdfsd\aliases.ini
C:\Program Files\dfsdfsd\cult.exe
C:\Program Files\dfsdfsd\gt.x
C:\Program Files\dfsdfsd\kiss.exe
C:\Program Files\dfsdfsd\knlps.sys
C:\Program Files\dfsdfsd\ksat.bat
C:\Program Files\dfsdfsd\law.x
C:\Program Files\dfsdfsd\lovely.sys
C:\Program Files\dfsdfsd\mirc.ini
C:\Program Files\dfsdfsd\murd3r
C:\Program Files\dfsdfsd\orrl.exe
C:\Program Files\dfsdfsd\pingy.exe
C:\Program Files\dfsdfsd\ps2m.exe
C:\Program Files\dfsdfsd\remote.ini
C:\Program Files\dfsdfsd\repcale.exe
C:\Program Files\dfsdfsd\w.e
C:\WINDOWS\system32\avvg.exe
C:\WINDOWS\system32\drivers\kwklkwot.dat
C:\WINDOWS\system32\dsauthw.dll.bak
C:\WINDOWS\system32\EqnClassj.dll
C:\WINDOWS\system32\fixy.exe
C:\WINDOWS\system32\kl.exe
C:\WINDOWS\system32\sxtznrle.dat
C:\WINDOWS\system32\t4isiu0.exe
C:\wingkka.exe
C:\z3na.exe
C:\zena.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-04 to 2008-01-04 ))))))))))))))))))))))))))))))
.
2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\ujvm.exe
2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\boqn.exe
2008-01-04 19:26 . 2008-01-04 19:26 20,819 –a—— C:\WINDOWS\system32\nschl.exe
2008-01-04 19:26 . 2008-01-04 19:26 20,819 –a—— C:\WINDOWS\system32\fswb.exe
2008-01-04 17:01 . 2008-01-04 17:01 45,568 –a—— C:\WINDOWS\system32\jwbftp.exe
2008-01-04 17:01 . 2008-01-04 17:01 20,819 –a—— C:\WINDOWS\system32\tkmoky.exe
2008-01-04 16:59 . 2008-01-04 16:59 45,568 –a—— C:\WINDOWS\system32\ebwtupn.exe
2008-01-04 16:59 . 2008-01-04 16:59 20,819 –a—— C:\WINDOWS\system32\kyhecd.exe
2008-01-04 15:30 . 2008-01-04 15:30 45,568 –a—— C:\WINDOWS\system32\fwkxx.exe
2008-01-04 15:30 . 2008-01-04 15:30 20,819 –a—— C:\WINDOWS\system32\xdflcbmr.exe
2008-01-04 15:28 . 2008-01-04 15:28 45,568 –a—— C:\WINDOWS\system32\ivvx.exe
2008-01-04 15:28 . 2008-01-04 15:28 20,819 –a—— C:\WINDOWS\system32\xxwdl.exe
2008-01-04 13:06 . 2008-01-04 13:06 45,568 –a—— C:\WINDOWS\system32\jtuf.exe
2008-01-04 13:06 . 2008-01-04 13:06 20,819 –a—— C:\WINDOWS\system32\sgptbq.exe
2008-01-04 13:04 . 2008-01-04 13:04 45,568 –a—— C:\WINDOWS\system32\bwqfvg.exe
2008-01-04 13:04 . 2008-01-04 13:04 20,819 –a—— C:\WINDOWS\system32\dxts.exe
2008-01-04 12:56 . 2008-01-04 12:56 45,568 –a—— C:\WINDOWS\system32\zvozaygf.exe
2008-01-04 12:56 . 2008-01-04 12:56 45,568 –a—— C:\WINDOWS\system32\huwpggf.exe
2008-01-04 12:56 . 2008-01-04 12:56 20,819 –a—— C:\WINDOWS\system32\uxshewz.exe
2008-01-04 12:56 . 2008-01-04 12:56 20,819 –a—— C:\WINDOWS\system32\umnlzev.exe
2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-03 21:46 . 2008-01-04 19:29 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d——– C:\WINDOWS\system32\AppCert
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 19:56 ——— d—–w C:\Program Files\Google
2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
2007-12-23 21:51 ——— d—–w C:\Program Files\kari
2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
2007-11-25 13:35 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-09 15:22 78,336 –sha-w C:\WINDOWS\system32\irdvxc.exe
2007-11-09 13:38 ——— d—–w C:\Program Files\Java
2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-09-07 12:00:00 82,944 —h–w C:\WINDOWS\system32\algs.exe
+ 2001-09-07 12:00:00 108,544 —h–w C:\WINDOWS\system32\spoolsvc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
"WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
"Spooler SubSystem App"="C:\WINDOWS\System32\spoolsvc.exe" [2001-09-07 13:00 108544]
"Application Layer Gateway Service"="C:\WINDOWS\System32\algs.exe" [2001-09-07 13:00 82944]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
"Internet Security Service "="msq23.exe" []
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" []
S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe []
S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22]
S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 19:50:13
Windows 5.1.2600 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
C:\WINDOWS\system32\uuak.exe 45568 bytes executable
**************************************************************************
.
Voltooingstijd: 2008-01-04 19:54:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 18:53:13
ComboFix2.txt 2008-01-04 18:21:11
ComboFix3.txt 2008-01-03 21:52:21
ComboFix4.txt 2007-12-23 21:15:05
En:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:59:16, on 4-1-2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINPAT~1\WinPatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\algs.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
–
End of file - 6098 bytes - Nog niet schoon :cry:
Download SDFix naar je [b:c11de7afce]Bureaublad[/b:c11de7afce].
Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:c11de7afce]SDFix[/u:c11de7afce].
Start je computer op in veilige modus.
Open de map SDfix en dubbelklik op [b:c11de7afce]runthis.bat[/b:c11de7afce] om de tool te starten.
Computer laten herstarten wanneer dit gevraagd wordt.
SDfix loopt verder en opent na afloop een rapportje!
Post dit rapport in je volgende antwoord samen met een nieuw Hijackthis logje.
Pim - Ik ben bezig met uitvoeren SDFIX maar nadat hij opnieuw is opgestart loopt hij nu al een uur ongeveer met als tekst in het venster zoiets van: Register aan het repareren, even wachten a.u.b.
Dit schiet niet echt op. - Voer je SDFix wel uit in Veilige modus? Anders zal deze inderdaad niet werken.
1. Print deze instructies even uit of sla ze op in een kladblok bestand, je moet dadelijk
in veilige modus gaan werken en daar kan je deze pagina niet terugvinden.
2. Start je computer op in veilige modus:
http://users.telenet.be/marcvn/spyware/1378056.htm
3. Start Hijackthis, kies voor 'Do a system scan only' en vink onderstaande regels aan:
[b:8ad24f4a8e]
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing)
[/b:8ad24f4a8e]
Sluit nu alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked'
4. Verwijder onderstaande bestanden:
C:\WINDOWS\System32\[b:8ad24f4a8e]algs.exe [/b:8ad24f4a8e]
C:\WINDOWS\System32\[b:8ad24f4a8e]spoolsvc.exe[/b:8ad24f4a8e]
[i:8ad24f4a8e]Let op de bestandsnamen, deze lijken erg op de windows legieme bestandsnamen![/i:8ad24f4a8e]
Verwijder ook nog:
C:\WINDOWS\system32\ujvm.exe
C:\WINDOWS\system32\boqn.exe
C:\WINDOWS\system32\nschl.exe
C:\WINDOWS\system32\fswb.exe
C:\WINDOWS\system32\jwbftp.exe
C:\WINDOWS\system32\tkmoky.exe
C:\WINDOWS\system32\ebwtupn.exe
C:\WINDOWS\system32\kyhecd.exe
C:\WINDOWS\system32\fwkxx.exe
C:\WINDOWS\system32\xdflcbmr.exe
C:\WINDOWS\system32\ivvx.exe
C:\WINDOWS\system32\xxwdl.exe
C:\WINDOWS\system32\jtuf.exe
C:\WINDOWS\system32\sgptbq.exe
C:\WINDOWS\system32\bwqfvg.exe
C:\WINDOWS\system32\dxts.exe
C:\WINDOWS\system32\zvozaygf.exe
C:\WINDOWS\system32\huwpggf.exe
C:\WINDOWS\system32\uxshewz.exe
C:\WINDOWS\system32\umnlzev.exe
5.Leeg je Temp-mappen (Let op : de mappen [u:8ad24f4a8e]leegmaken[/u:8ad24f4a8e], niet verwijderen !!):
C:\Windows\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e]
C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e]
C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temporary Internet Files[/b:8ad24f4a8e]
C:\Documents and Settings\<profielnaam>\Local Settings\Temporary Internet Files\[b:8ad24f4a8e]content.ie5[/b:8ad24f4a8e]
Als de laatste map niet wordt weergegeven, ga dan naar de map Temporary Internet Files en type er [b:8ad24f4a8e]\content.ie5[/b:8ad24f4a8e] achter in de adresbalk en klik enter.
Maak je prullenbak leeg.
6. Laat nu SDfix opnieuw lopen.
Na herstart, maak een nieuw Combofix logje en post deze, samen met het SDfix logje in je volgende bericht.
Succes!
Pim
- O.k. daar zijn we weer…
SDFix is gisteren toch voltooid na +/- 4 uur, hieronder het logje + ComboFix log na je instructies te hebben uitgevoerd.
Een paar bestanden waren niet te vinden, de rest is verwijderd.
ComboFix 08-01-03.4 - Adri 2008-01-06 16:54:21.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.72 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
.
2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d——– C:\WINDOWS\ERUNT
2008-01-05 12:51 . 2008-01-05 12:51 45,568 –a—— C:\WINDOWS\system32\onmzwt.exe
2008-01-05 12:51 . 2008-01-05 12:51 20,819 –a—— C:\WINDOWS\system32\aduzqsx.exe
2008-01-05 12:49 . 2008-01-05 12:49 45,568 –a—— C:\WINDOWS\system32\ihkjq.exe
2008-01-05 12:49 . 2008-01-05 12:49 20,819 –a—— C:\WINDOWS\system32\lcbabi.exe
2008-01-04 19:51 . 2008-01-04 19:51 45,568 –a—— C:\WINDOWS\system32\uuak.exe
2008-01-04 19:51 . 2008-01-04 19:51 20,819 –a—— C:\WINDOWS\system32\zoicdvee.exe
2008-01-04 19:50 . 2008-01-04 19:50 45,568 –a—— C:\WINDOWS\system32\xblibm.exe
2008-01-04 19:50 . 2008-01-04 19:50 20,819 –a—— C:\WINDOWS\system32\atxgll.exe
2008-01-04 19:26 . 2008-01-04 19:26 45,568 –a—— C:\WINDOWS\system32\ujvm.exe
2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-03 21:46 . 2008-01-06 16:26 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 07:24 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 19:56 ——— d—–w C:\Program Files\Google
2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
2007-12-23 21:51 ——— d—–w C:\Program Files\kari
2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
2007-11-09 13:38 ——— d—–w C:\Program Files\Java
2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-05 16:23:15 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT
+ 2008-01-05 16:23:15 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat
+ 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-05 15:19:34 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT
+ 2008-01-05 15:19:34 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
"WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2001-09-07 13:00 147456]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
"Internet Security Service "="msq23.exe" []
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 16:55:49
Windows 5.1.2600 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-06 16:56:46
ComboFix-quarantined-files.txt 2008-01-06 15:56:25
ComboFix2.txt 2008-01-04 18:54:14
ComboFix3.txt 2008-01-04 18:21:11
ComboFix4.txt 2008-01-03 21:52:21
ComboFix5.txt 2007-12-23 21:15:05
SDFix: Version 1.124
Run by Adri on za 05-01-2008 at 17:23
Microsoft Windows XP [versie 5.1.2600]
Running From: C:\DOWNLO~1\TIJDEL~1\SDFix
Safe Mode:
Checking Services:
Name:
EnGenius Network Analysis Tool
INService
MSDisk
MSWindows
Path:
EnGenius Network Analysis Tool - Deleted
INService - Deleted
MSDisk - Deleted
MSWindows - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\DP.EXE - Deleted
C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted
C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted
C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted
C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted
C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted
C:\WINDOWS\system32\261.tmp - Deleted
C:\WINDOWS\system32\algs.exe - Deleted
C:\WINDOWS\system32\irdvxc.exe - Deleted
C:\WINDOWS\system32\spoolsvc.exe - Deleted
C:\WINDOWS\system32\TFTP1424 - Deleted
C:\WINDOWS\system32\TFTP1644 - Deleted
C:\WINDOWS\system32\TFTP2092 - Deleted
C:\WINDOWS\system32\TFTP2108 - Deleted
C:\WINDOWS\system32\TFTP220 - Deleted
C:\WINDOWS\system32\TFTP2404 - Deleted
C:\WINDOWS\system32\TFTP2908 - Deleted
C:\WINDOWS\system32\TFTP3192 - Deleted
C:\WINDOWS\system32\TFTP3328 - Deleted
C:\WINDOWS\system32\TFTP3336 - Deleted
C:\WINDOWS\system32\TFTP3384 - Deleted
C:\WINDOWS\system32\TFTP3760 - Deleted - Het begint er steeds beter uit te zien! Zou je nog eens kunnen controleren ofdat je het volledige
rapport van SDfix hebt geplaatst, deze lijkt mij niet volledig.
Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
[b:6f7687367d]
File::
C:\WINDOWS\system32\onmzwt.exe
C:\WINDOWS\system32\aduzqsx.exe
C:\WINDOWS\system32\ihkjq.exe
C:\WINDOWS\system32\lcbabi.exe
C:\WINDOWS\system32\uuak.exe
C:\WINDOWS\system32\zoicdvee.exe
C:\WINDOWS\system32\xblibm.exe
C:\WINDOWS\system32\atxgll.exe
C:\WINDOWS\system32\ujvm.exe
C:\WINDOWS\System32\drivers\kwklkwot.dat
Driver::
kwklkwot
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Internet Security Service "=-
[/b:6f7687367d]
Sla dit op op je Bureaublad als [b:6f7687367d]CFScript.txt[/b:6f7687367d]
Sleep [b:6f7687367d]CFScript.txt[/b:6f7687367d] in [b:6f7687367d]ComboFix.exe[/b:6f7687367d] zoals getoond in onderstaand voorbeeld :
[img:6f7687367d]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6f7687367d]
Dit zal [b:6f7687367d]ComboFix[/b:6f7687367d] doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de [b:6f7687367d]Combofix.txt[/b:6f7687367d] in je volgende antwoord samen met een nieuw HijackThislogje.
Succes!
Pim - Hierbij nogmaals hopelijk het gehele SDFix rapport + Combofix log + Hijackthis log:
SDFix: Version 1.124
Run by Adri on za 05-01-2008 at 17:23
Microsoft Windows XP [versie 5.1.2600]
Running From: C:\DOWNLO~1\TIJDEL~1\SDFix
Safe Mode:
Checking Services:
Name:
EnGenius Network Analysis Tool
INService
MSDisk
MSWindows
Path:
EnGenius Network Analysis Tool - Deleted
INService - Deleted
MSDisk - Deleted
MSWindows - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\DP.EXE - Deleted
C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted
C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted
C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted
C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted
C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted
C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted
C:\WINDOWS\system32\261.tmp - Deleted
C:\WINDOWS\system32\algs.exe - Deleted
C:\WINDOWS\system32\irdvxc.exe - Deleted
C:\WINDOWS\system32\spoolsvc.exe - Deleted
C:\WINDOWS\system32\TFTP1424 - Deleted
C:\WINDOWS\system32\TFTP1644 - Deleted
C:\WINDOWS\system32\TFTP2092 - Deleted
C:\WINDOWS\system32\TFTP2108 - Deleted
C:\WINDOWS\system32\TFTP220 - Deleted
C:\WINDOWS\system32\TFTP2404 - Deleted
C:\WINDOWS\system32\TFTP2908 - Deleted
C:\WINDOWS\system32\TFTP3192 - Deleted
C:\WINDOWS\system32\TFTP3328 - Deleted
C:\WINDOWS\system32\TFTP3336 - Deleted
C:\WINDOWS\system32\TFTP3384 - Deleted
C:\WINDOWS\system32\TFTP3760 - Deleted
Removing Temp Files…
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 18:26:59
Windows 5.1.2600 NTFS
scanning hidden processes …
scanning hidden services & system hive …
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
"DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
"Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
"DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
"Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
scanning hidden registry entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0
Remaining Services:
——————
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
—————
File Backups: - C:\DOWNLO~1\TIJDEL~1\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 2 Nov 2002 134 ..SH. — "C:\AUTOEXEC.BAK"
Wed 5 May 1999 96,546 ..SH. — "C:\COMMAND.COM"
Sat 2 Nov 2002 1,676 A.SHR — "C:\MSDOS.BAK"
Sat 2 Nov 2002 7,809 ..SH. — "C:\SUHDLOG.BAK"
Wed 5 May 1999 53,248 A..H. — "C:\Program Files\Accessories\mspcx32.dll"
Sat 9 Oct 2004 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Aug 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 16 Feb 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 16 Feb 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 11 Aug 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Finished!
ComboFix 08-01-03.4 - Adri 2008-01-07 16:18:24.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.119 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt
FILE
C:\WINDOWS\system32\aduzqsx.exe
C:\WINDOWS\system32\atxgll.exe
C:\WINDOWS\System32\drivers\kwklkwot.dat
C:\WINDOWS\system32\ihkjq.exe
C:\WINDOWS\system32\lcbabi.exe
C:\WINDOWS\system32\onmzwt.exe
C:\WINDOWS\system32\ujvm.exe
C:\WINDOWS\system32\uuak.exe
C:\WINDOWS\system32\xblibm.exe
C:\WINDOWS\system32\zoicdvee.exe
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\aduzqsx.exe
C:\WINDOWS\system32\atxgll.exe
C:\WINDOWS\system32\ihkjq.exe
C:\WINDOWS\system32\lcbabi.exe
C:\WINDOWS\system32\onmzwt.exe
C:\WINDOWS\system32\ujvm.exe
C:\WINDOWS\system32\uuak.exe
C:\WINDOWS\system32\xblibm.exe
C:\WINDOWS\system32\zoicdvee.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))
.
2008-01-06 17:04 . 2008-01-07 16:13 <DIR> dr-h—– C:\Documents and Settings\Adri\Onlangs geopend
2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d——– C:\WINDOWS\ERUNT
2008-01-03 22:45 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d——– C:\Documents and Settings\Adri\Contacts
2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 07:24 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-03 22:31 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 19:56 ——— d—–w C:\Program Files\Google
2007-12-28 17:11 ——— d—–w C:\Program Files\MSN Messenger
2007-12-23 21:51 ——— d—–w C:\Program Files\kari
2007-12-02 13:46 ——— d—–w C:\Program Files\Mijn Paardenstal
2007-11-09 13:38 ——— d—–w C:\Program Files\Java
2006-02-27 23:54 26,958 —-a-w C:\Program Files\MovieLand Terms.html
2002-11-02 13:01 266 –sh–w C:\Program Files\desktop.ini
2002-11-02 13:01 11,209 —ha-w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-05 16:23:15 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT
+ 2008-01-05 16:23:15 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat
+ 2008-01-05 05:57:26 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-05 15:19:34 4,345,856 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT
+ 2008-01-05 15:19:34 147,456 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184]
"WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 16:24:38
Windows 5.1.2600 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-01-07 16:25:28
ComboFix-quarantined-files.txt 2008-01-07 15:25:08
ComboFix2.txt 2008-01-06 15:56:47
ComboFix3.txt 2008-01-04 18:54:14
ComboFix4.txt 2008-01-04 18:21:11
ComboFix5.txt 2008-01-03 21:52:21
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:37:15, on 7-1-2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINPAT~1\WinPatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
–
End of file - 5753 bytes - Download de nieuwste versie van Hijackthis:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Download: RVAXO.exe
Sla het bestand op je bureaublad op, daarna mag je het dubbelklikken.
Je kunt het programma laten uitpakken naar je bureaublad.
Open nu de map RVAXO op je bureaublad en dubbelklik [b:bf556c9481]RVAXO.cmd[/b:bf556c9481]
Er zal een schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
[b:bf556c9481]Mogelijk[/b:bf556c9481] start er ook een uninstaller van een rogue scanner op, [b:bf556c9481]sluit deze niet[/b:bf556c9481] af maar volg eventuele aanwijzingen en laat deze zijn werk doen.
Daarna zal je PC herstarten, na de herstart opent het venster van RVAXO opnieuw.
Laat deze lopen en wacht tot er een logfile opent.
Deze is eventueel ook hier te vinden: C:\[b:bf556c9481]RVAXO-results.log[/b:bf556c9481]
Post de inhoud in je volgende bericht tesamen met een nieuw logje van HijackThis.
Herstarte je PC niet?
Laat RVAXO nog een keer lopen en post dan het nieuwe logje: [b:bf556c9481]C:\rvaxo-results.log[/b:bf556c9481]
Ga daarna naar de Windows Update site en haal SP1 minimaal binnen.
Herstart je PC in veilige modus en maak een nieuw logje met SDfix.
Plaats deze samen met het logje van RVAXO.
Pim - Hier weer wat nieuwe logjes.
SDFix: Version 1.124
Run by Adri on di 08-01-2008 at 16:30
Microsoft Windows XP [versie 5.1.2600]
Running From: C:\DOWNLO~1\TIJDEL~1\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting…
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files…
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 16:58:34
Windows 5.1.2600 NTFS
scanning hidden processes …
scanning hidden services & system hive …
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
"DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
"Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe""
"DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,..
"Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
scanning hidden registry entries …
scanning hidden files …
IPC error: 2 Het systeem kan het opgegeven bestand niet vinden.
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0
Remaining Services:
——————
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
—————
Files with Hidden Attributes:
Sat 2 Nov 2002 134 ..SH. — "C:\AUTOEXEC.BAK"
Wed 5 May 1999 96,546 ..SH. — "C:\COMMAND.COM"
Sat 2 Nov 2002 1,676 A.SHR — "C:\MSDOS.BAK"
Sat 2 Nov 2002 7,809 ..SH. — "C:\SUHDLOG.BAK"
Wed 5 May 1999 53,248 A..H. — "C:\Program Files\Accessories\mspcx32.dll"
Sat 9 Oct 2004 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Aug 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 16 Feb 2003 1,206 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 16 Feb 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Mon 11 Aug 2003 12,580 A..HR — "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Finished!
—————-RVAXO.exe first run————-
Files found:
Uninstallers Rogue scanners:
Folders Found:
Hosts-file was reset, If you use a custom hosts file please replace it…
————–RVAXO.exe last run—————
Files found:
Folders Found:
————–RVAXO.exe finished—————-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:57, on 8-1-2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199805747080
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
–
End of file - 5203 bytes - Ik zou in elk geval nog de volgende 2 entry's fixen met Hijackthis:
[b:a91fb7a662]
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe[/b:a91fb7a662]
Groet, Emiel - Dat is wel het minste waar hij zich zorgen om moet maken Emiel :wink:
Ga naar de windows update website en haal daar alle beschikbare updates binnen. Herstart je PC en post een Hijackthis log ter controle.
Succes!
Pim - Via de windows update site lukt het niet want het is iets minder legale versie van xp.
Ik probeer het nu via "offline update" van heise-security, hoop dat dat lukt.
Maar is verder alle virus en trojan troep eraf nu?
Ik heb nog wel steeds dat cpu gebruik op 100% staat tot ik het uitschakel met taakbeheer en dan weer start via bestand…. daarna is het normaal.
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.
