Vraag & Antwoord

Beveiliging & privacy

Trojan.vundo

Anoniem
M@rc
72 antwoorden
  • En de rest van de logfile?
  • //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:45:13 2008

    19:45:13: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:46:49 2008

    19:46:49: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:47:33 2008

    19:47:33: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:48:19 2008

    19:48:19: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:48:30 2008

    19:48:30: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:49:18 2008

    19:49:18: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:49:26 2008

    19:49:26: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:53:15 2008

    19:53:15: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:54:31 2008

    19:54:31: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:56:09 2008

    19:56:09: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:00:36 2008

    20:00:36: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:06:18 2008

    20:06:18: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    Logfile of The Avenger Version 2.0, © by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "C:\WINDOWS\system32\ahmmqqae.dll" deleted successfully.
    File "C:\WINDOWS\system32\pwfnpetw.dll" deleted successfully.
    File "C:\WINDOWS\system32\qoMcdCTn.dll" deleted successfully.
    File "C:\WINDOWS\system32\nTCdcMoq.ini2" deleted successfully.
    File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully.
    File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully.
    File "C:\WINDOWS\system32\gside.exe" deleted successfully.
    File "C:\Temp\oRUsa080.exe" deleted successfully.
    Folder "C:\VundoFix Backups" deleted successfully.
    Folder "C:\Temp\zvebs14" deleted successfully.
    Folder "C:\Temp\1cb" deleted successfully.

    Dit is het gehele logfile zoals ik die te zien krijg.
  • Dan heb je niet het hele script gekopieerd.
    De bedoeling is dat je de gegeven instructies correct uitvoert. Anders heeft het weinig zin.
  • Ik heb het script gekopieerd en laten uitvoeren, daarna heb ik de pc opnieuw laten opstarten en vervolgens is dit wat er in het script staat.

    Wat wel gebeurde is dat mijn pc doorging tot die bleef hangen op het zwarte scherm eerder beschreven. Om de pc opnieuw op te starten moest ik de power knop gebruiken en daarna heb ik via F5 de veilige modus weer opnieuw opgestart.

    Kan het zijn dat hierbij fouten zijn opgetreden omtrent de log.
  • Ik heb pc opnieuw opgestart, opnieuw Avenger laten draaien en hierbij het nieuwe logje;

    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:45:13 2008

    19:45:13: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:46:49 2008

    19:46:49: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:47:33 2008

    19:47:33: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:48:19 2008

    19:48:19: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:48:30 2008

    19:48:30: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:49:18 2008

    19:49:18: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:49:26 2008

    19:49:26: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:53:15 2008

    19:53:15: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:54:31 2008

    19:54:31: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 19:56:09 2008

    19:56:09: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:00:36 2008

    20:00:36: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:06:18 2008

    20:06:18: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    Logfile of The Avenger Version 2.0, © by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "C:\WINDOWS\system32\ahmmqqae.dll" deleted successfully.
    File "C:\WINDOWS\system32\pwfnpetw.dll" deleted successfully.
    File "C:\WINDOWS\system32\qoMcdCTn.dll" deleted successfully.
    File "C:\WINDOWS\system32\nTCdcMoq.ini2" deleted successfully.
    File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully.
    File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully.
    File "C:\WINDOWS\system32\gside.exe" deleted successfully.
    File "C:\Temp\oRUsa080.exe" deleted successfully.
    Folder "C:\VundoFix Backups" deleted successfully.
    Folder "C:\Temp\zvebs14" deleted successfully.
    Folder "C:\Temp\1cb" deleted successfully.



    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:37:05 2008

    20:37:05: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:37:09 2008

    20:37:09: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:40:22 2008

    20:40:22: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////


    Logfile of The Avenger Version 2.0, © by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: file "C:\WINDOWS\system32\ahmmqqae.dll" not found!
    Deletion of file "C:\WINDOWS\system32\ahmmqqae.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\pwfnpetw.dll" not found!
    Deletion of file "C:\WINDOWS\system32\pwfnpetw.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\qoMcdCTn.dll" not found!
    Deletion of file "C:\WINDOWS\system32\qoMcdCTn.dll" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\nTCdcMoq.ini2" not found!
    Deletion of file "C:\WINDOWS\system32\nTCdcMoq.ini2" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\winpfz33.sys" not found!
    Deletion of file "C:\WINDOWS\system32\winpfz33.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" not found!
    Deletion of file "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\WINDOWS\system32\gside.exe" not found!
    Deletion of file "C:\WINDOWS\system32\gside.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: file "C:\Temp\oRUsa080.exe" not found!
    Deletion of file "C:\Temp\oRUsa080.exe" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: folder "C:\VundoFix Backups" not found!
    Deletion of folder "C:\VundoFix Backups" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: folder "C:\Temp\zvebs14" not found!
    Deletion of folder "C:\Temp\zvebs14" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist


    Error: folder "C:\Temp\1cb" not found!
    Deletion of folder "C:\Temp\1cb" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist

    Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52}" deleted successfully.

    Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E}" not found!
    Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E}" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    –> the object does not exist

    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave" deleted successfully.
    Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW}" deleted successfully.
    Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|50b9fdec" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
  • Dit ziet er beter uit.

    Zijn er nog problemen?
  • Als ik de pc normaal op probeer te starten blijft tie nog wel vastlopen na het windows laadscherm.
  • Laat ComboFix nog een keer scannen in veilige modus en post het logje.
  • Hier het nieuwe ComboFix logje;

    "Admin" - 2008-05-02 11:02:34 Service Pack 2 [SAFE MODE]
    ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Admin\Bureaublad\"


    ((((((((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 ))))))))))))))))))))))))))))))))))


    2008-05-01 20:40 574 –a—— C:\cleanup.bat
    2008-05-01 20:40 19,286 –a—— C:\cleanup.exe
    2008-05-01 20:40 135,168 –a—— C:\zip.exe
    2008-05-01 20:15 7,778 –a—— C:\backup.reg
    2008-05-01 20:15 <DIR> d——– C:\Avenger
    2008-05-01 20:09 0 –a—— C:\WINDOWS\nsreg.dat
    2008-05-01 11:45 89,070 –a—— C:\WINDOWS\system32\myss_sb_uninstall.exe
    2008-05-01 11:42 <DIR> d——– C:\DOCUME~1\NETWOR~1\Mijn documenten
    2008-05-01 11:26 88,560 -ra—— C:\WINDOWS\system32\drivers\K320mgmt.sys
    2008-04-30 23:44 0 –a—— C:\WINDOWS\system32\taskkill.exe
    2008-04-30 23:44 <DIR> d–hs—- C:\DOCUME~1\Admin\!
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\pnVes05
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\jp7
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\dn4
    2008-04-30 23:41 <DIR> d——– C:\Temp
    2008-04-23 00:29 41,296 –a—— C:\WINDOWS\system32\xfcodec.dll
    2008-04-22 18:36 86,368 -ra—— C:\WINDOWS\system32\drivers\K320obex.sys
    2008-04-22 14:58 <DIR> d——– C:\Program Files\Common Files\Authentium
    2008-04-20 15:45 97,056 -ra—— C:\WINDOWS\system32\drivers\K320mdm.sys
    2008-04-20 15:45 9,328 -ra—— C:\WINDOWS\system32\drivers\K320mdfl.sys
    2008-04-20 15:45 61,504 -ra—— C:\WINDOWS\system32\drivers\K320bus.sys
    2008-04-20 15:45 6,208 -ra—— C:\WINDOWS\system32\drivers\K320cmnt.sys
    2008-04-20 15:45 6,208 -ra—— C:\WINDOWS\system32\drivers\K320cm.sys
    2008-04-20 15:45 5,840 -ra—— C:\WINDOWS\system32\drivers\K320whnt.sys
    2008-04-20 15:45 5,840 -ra—— C:\WINDOWS\system32\drivers\K320wh.sys
    2008-04-20 15:44 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Teleca
    2008-04-20 15:44 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Sony Ericsson
    2008-04-20 15:40 <DIR> d——– C:\DOCUME~1\ALLUSE~1\Documents
    2008-04-20 15:39 <DIR> d——– C:\Program Files\Sony Ericsson
    2008-04-20 15:39 <DIR> d——– C:\Program Files\Common Files\Teleca Shared
    2008-04-20 15:39 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
    2008-04-20 15:39 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
    2008-04-10 14:53 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Leadertech
    2008-04-02 17:50 <DIR> d——– C:\Program Files\VideoLAN


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2008-05-01 16:15:30 ——– d—–w C:\Program Files\SUPERAntiSpyware
    2008-05-01 09:45:09 ——– d—–w C:\Program Files\Hitman Pro
    2008-04-30 21:32:26 ——– d—–w C:\Program Files\Windows Media Connect 2
    2008-04-30 21:24:54 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Xfire
    2008-04-30 17:57:13 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Bioshock
    2008-04-29 12:14:35 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Azureus
    2008-04-26 12:43:49 ——– d—–w C:\Program Files\Winamp Remote
    2008-04-21 11:16:30 ——– d–h–w C:\Program Files\InstallShield Installation Information
    2008-04-18 19:39:27 ——– d—–w C:\Program Files\Azureus
    2008-04-14 13:45:19 ——– d—–w C:\Program Files\DivX
    2008-04-12 16:34:50 83,854 —-a-w C:\WINDOWS\system32\perfc013.dat
    2008-04-12 16:34:50 472,888 —-a-w C:\WINDOWS\system32\perfh013.dat
    2008-04-10 09:35:32 409,600 —-a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-04-10 09:35:32 114,688 —-a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-04-02 15:52:55 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\vlc
    2008-03-31 21:25:52 161,096 —-a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-03-31 21:25:48 823,296 —-a-w C:\WINDOWS\system32\divx_xx0c.dll
    2008-03-31 21:25:48 823,296 —-a-w C:\WINDOWS\system32\divx_xx07.dll
    2008-03-31 21:25:46 831,488 —-a-w C:\WINDOWS\system32\divx_xx0a.dll
    2008-03-31 21:25:46 802,816 —-a-w C:\WINDOWS\system32\divx_xx11.dll
    2008-03-31 21:25:46 682,496 —-a-w C:\WINDOWS\system32\DivX.dll
    2008-03-21 20:30:12 524,288 —-a-w C:\WINDOWS\system32\DivXsm.exe
    2008-03-21 20:30:08 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-03-21 20:30:00 200,704 —-a-w C:\WINDOWS\system32\ssldivx.dll
    2008-03-21 20:30:00 1,044,480 —-a-w C:\WINDOWS\system32\libdivx.dll
    2008-03-21 20:28:54 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-03-21 20:28:54 196,608 —-a-w C:\WINDOWS\system32\dtu100.dll
    2008-03-21 20:28:52 53,248 —-a-w C:\WINDOWS\system32\dpuGUI10.dll
    2008-03-21 20:28:50 593,920 —-a-w C:\WINDOWS\system32\dpuGUI11.dll
    2008-03-21 20:28:50 57,344 —-a-w C:\WINDOWS\system32\dpv11.dll
    2008-03-21 20:28:50 344,064 —-a-w C:\WINDOWS\system32\dpus11.dll
    2008-03-21 20:28:50 294,912 —-a-w C:\WINDOWS\system32\dpu11.dll
    2008-03-21 20:28:50 294,912 —-a-w C:\WINDOWS\system32\dpu10.dll
    2008-03-21 20:28:20 12,288 —-a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-03-20 08:10:47 1,845,376 —-a-w C:\WINDOWS\system32\win32k.sys
    2008-02-21 02:05:38 129,784 ——w C:\WINDOWS\system32\pxafs.dll
    2008-02-21 02:05:38 120,056 ——w C:\WINDOWS\system32\pxcpyi64.exe
    2008-02-21 02:05:38 118,520 ——w C:\WINDOWS\system32\pxinsi64.exe
    2008-02-20 06:51:59 282,624 —-a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:39:05 45,568 —-a-w C:\WINDOWS\system32\dnsrslvr.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
    {7B3FF863-01B8-4087-B9FF-C8DC8C458F30}=C:\WINDOWS\system32\qoMcdCTn.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
    "RTHDCPL"="RTHDCPL.EXE" []
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
    "Preventon RealTime Antivirus"="C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe" [2008-03-18 11:41]
    "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
    "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
    "LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-06 17:43]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41]
    "nwiz"="nwiz.exe" [2007-12-05 02:41 C:\WINDOWS\system32\nwiz.exe]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
    "BM538ace70"="C:\WINDOWS\system32\pwfnpetw.dll" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-01 20:25]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27]
    "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 14:20]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16]
    "Fraps"="C:\FILMS\FRAPS\FRAPS.EXE" [2006-06-18 15:54]
    "Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 22:02]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "Cleanup"=C:\cleanup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "WatchDog"=C:\Program Files\WatchDog\watchdog.exe /.

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"=

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispAppearancePage"=0 (0x0)
    "NoDispBackgroundPage"=0 (0x0)
    "NoDispScrSavPage"=0 (0x0)
    "NoDispSettingsPage"=0 (0x0)
    "NoDispCPL"=0 (0x0)
    "DisableCMD"=0 (0x0)
    "DisableLockWorkstation"=0 (0x0)
    "DisableChangePassword"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFavoritesMenu"=0 (0x0)
    "NoCommonGroups"=0 (0x0)
    "NoLogOff"=0 (0x0)
    "NoStartMenuSubFolders"=0 (0x0)
    "NoSetTaskBar"=0 (0x0)
    "NoSetFolders"=0 (0x0)
    "NoRecentDocsMenu"=0 (0x0)
    "NoSMHelp"=0 (0x0)
    "NoNetworkConnections"=0 (0x0)
    "NoSMMyDocs"=0 (0x0)
    "NoSetActiveDesktop"=0 (0x0)
    "NoActiveDesktopChanges"=0 (0x0)
    "NoSaveSettings"=0 (0x0)
    "NoClose"=0 (0x0)
    "NoNetConnectDisconnect"=0 (0x0)
    "NoTrayContextMenu"=0 (0x0)
    "NoViewContextMenu"=0 (0x0)
    "NoWinKeys"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages msv1_0 C:\WINDOWS\system32\qoMcdCTn

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Menu Start^Programma's^Opstarten^GameSpot Download Manager.lnk]
    path=C:\Documents and Settings\Admin\Menu Start\Programma's\Opstarten\GameSpot Download Manager.lnk
    backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech Desktop Messenger.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Logitech Desktop Messenger.lnk
    backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    "C:\Program Files\BitTorrent\bittorrent.exe" –force_start_minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
    C:\WINDOWS\system32\tcntrkdm.exe DWram

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    "C:\Spellen\Counterstrike Source\Steam.exe" -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    C:\Program Files\WatchDog\watchdog.exe /.

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
    "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-02 11:08:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0


    ********************************************************************

    Completion time: 2008-05-02 11:12:20
    C:\ComboFix-quarantined-files.txt … 2008-05-02 11:12
    C:\ComboFix2.txt … 2008-05-01 17:05
    C:\ComboFix3.txt … 2008-05-01 16:09

    — E O F —
  • Heb je nog andere tools gebruikt? (die ik niet geadviseerd had)
  • Enkelt SUPERAntiSpyware waar ik gisterochtend mijn pc mee gescand heb van virussen. Dat was voor dat mijn pc niet meer in normale modus opgestart kon worden.
  • Echt?
    Er zijn bestanden geplaatst gisterenavond op je computer.
    Of ze zijn malware gerelateerd of ze komen van een andere tool die je gebruikt hebt en dat wil ik graag weten.
  • Ikzelf heb geen andere tools naast Hijackthis, ComboFix, Avenger en SUPERAntispyware gebruikt.
  • Ga naar deze site: http://www.bleepingcomputer.com/submit-malware.php?channel=11
    Bij "Link to topic where this file was requested:" plaats je een link naar dit topic.
    Bij "Browse to the file you want to submit:" klik je op de knop "Bladeren" en navigeer je naar dit bestand: [b:16ed72855b]C:\cleanup.bat [/b:16ed72855b]
    Klik daarna op de knop "Send file".

    Open een kladblokbestand.
    Kopieer onderstaande code in dit kladblokbestand.
    Ga naar Bestand - Opslaan als.
    Bij "Opslaan in" kies je: Bureaublad
    Bij "Bestandsnaam" zet je: fix.reg
    Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
    Klik op de knop Opslaan.
    [code:1:16ed72855b]REGEDIT4

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [/code:1:16ed72855b]
    Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.

    Probeer of het inloggen in normale modus nu wel lukt.
  • Het is gelukt om in normale modus op te starten, wel kreeg ik het volgende bericht;

    RUNDLL

    Er is een fout opgetreden tijdens het laden van C:\Windows\System32\pwfnpetw.dll

    Kan opgegeven module niet vinden.
  • Maak nu een nieuwe hijackthislog.
  • Hier het nieuwe Hijackthis logje;

    Logfile of HijackThis v1.99.1
    Scan saved at 11:47:01, on 2-5-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\FILMS\FRAPS\FRAPS.EXE
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Diversen\HijackThis.exe
    C:\WINDOWS\SoftwareDistribution\Download\90036e1f564a212bcf06a744af2128ac\update\update.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7B3FF863-01B8-4087-B9FF-C8DC8C458F30} - C:\WINDOWS\system32\qoMcdCTn.dll (file missing)
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [BM538ace70] Rundll32.exe "C:\WINDOWS\system32\pwfnpetw.dll",s
    O4 - HKLM\..\RunServices: [WatchDog] C:\Program Files\WatchDog\watchdog.exe /.
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Fraps] C:\FILMS\FRAPS\FRAPS.EXE
    O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: Xfire.lnk = C:\Spellen\Xfire\Xfire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C97E62-F9EC-4C2D-A05B-CE1040177F03}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.128.37
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS3\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS4\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • Gebruik de meest recente versie aub: http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
  • Hierbij het logje met de nieuwe versie;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:52:06, on 2-5-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\FILMS\FRAPS\FRAPS.EXE
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Diversen\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7B3FF863-01B8-4087-B9FF-C8DC8C458F30} - C:\WINDOWS\system32\qoMcdCTn.dll (file missing)
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [BM538ace70] Rundll32.exe "C:\WINDOWS\system32\pwfnpetw.dll",s
    O4 - HKLM\..\RunServices: [WatchDog] C:\Program Files\WatchDog\watchdog.exe /.
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Fraps] C:\FILMS\FRAPS\FRAPS.EXE
    O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Xfire.lnk = C:\Spellen\Xfire\Xfire.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Xfire.lnk = C:\Spellen\Xfire\Xfire.exe (User 'Default user')
    O4 - Startup: Xfire.lnk = C:\Spellen\Xfire\Xfire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C97E62-F9EC-4C2D-A05B-CE1040177F03}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.128.37
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS3\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O17 - HKLM\System\CS4\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    End of file - 9675 bytes
  • Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    [b:4da720c03c]O2 - BHO: (no name) - {7B3FF863-01B8-4087-B9FF-C8DC8C458F30} - C:\WINDOWS\system32\qoMcdCTn.dll (file missing)
    O4 - HKLM\..\Run: [BM538ace70] Rundll32.exe "C:\WINDOWS\system32\pwfnpetw.dll",s[/b:4da720c03c]

    Klik daarna op "Fix checked" en sluit HijackThis af.

    Herstart de computer.

    Maak een nieuwe log met ComboFix en post deze.
    Start HijackThis opnieuw, maak een nieuwe log en post deze ook.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.