Vraag & Antwoord

Beveiliging & privacy

Internet probleem

Anoniem
None
24 antwoorden
  • OK, ik wist niet dat aan het draaien van Combofix zoveel handelingen aan vooraf gingen. Heb het eens even uitgeprobeerd op een XP machine. Wat ik mij nu nog afvraag is hoe je zoiets doet op een laptop met-of zonder een Recover cd. Voor Vista wordt nl.gesteld op op te starten vanaf de CD die er in de meeste gevallen dus niet is.
  • Hier ben ik weer. Combofix uitgevoerd. De pc start nu ook weer op in normale modus alleen is alles ontzettend traag. De MBam log kan ik nergens vinden, deze wordt kennelijk niet automatisch opgeslagen? Kan ik dus helaas niet mee sturen. Hierbij de Combofix- en een nieuwe HjachThis log.

    ComboFix 08-10-11.04 - Jaap 2008-10-13 12:15:17.2 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.735 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\Jaap\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: C:\Documents and Settings\Jaap\Bureaublad\WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    —- Previous Run ——-
    .
    C:\Documents and Settings\LocalService\Application Data\1114190697.exe
    C:\Documents and Settings\LocalService\Application Data\1151810659.exe
    C:\Documents and Settings\LocalService\Application Data\1178878676.exe
    K:\autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ——-\Legacy_CBEVTSVC
    ——-\Legacy_PSYCHE
    ——-\Legacy_PSYCHEENQUEUE
    ——-\Legacy_SYSREST.SYS
    ——-\Service_psyche


    (((((((((((((((((((( Bestanden Gemaakt van 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))))
    .

    2008-10-13 11:27 . 2001-09-06 19:04 12,288 –a—— C:\WINDOWS\system32\drivers\mouhid.sys
    2008-10-13 11:27 . 2008-04-13 20:45 10,368 –a—— C:\WINDOWS\system32\drivers\hidusb.sys
    2008-10-11 13:00 . 2008-09-10 00:04 38,528 –a—— C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-11 12:58 . 2008-09-10 00:03 17,200 –a—— C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-11 12:55 . 2008-09-11 14:06 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Onlangs geopend
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Mijn documenten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Favorieten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
    2008-10-11 12:55 . 2008-10-11 12:55 <DIR> d——– C:\Documents and Settings\Administrator
    2008-10-11 12:43 . 2008-10-11 12:43 <DIR> d——– C:\Program Files\InCode Solutions
    2008-10-11 12:34 . 2008-10-11 12:34 <DIR> d–h-c— C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
    2008-10-10 17:46 . 2008-10-13 11:35 <DIR> dr-h—– C:\Documents and Settings\Jaap\Onlangs geopend
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Malwarebytes
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-07 19:57 . 2008-10-13 12:10 104,414 –a—— C:\WINDOWS\system32\drivers\47c270d4.sys
    2008-10-06 13:34 . 2008-10-06 13:34 29 –a—— C:\WINDOWS\system32\otdgegut.tmp
    2008-09-22 15:09 . 2008-09-22 15:14 <DIR> d——– C:\Program Files\Picasa2
    2008-09-22 15:09 . 2008-09-22 15:09 <DIR> d——– C:\Program Files\Google
    2008-09-22 15:09 . 2006-10-05 04:42 2,560 ——— C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-09-22 15:09 . 2006-10-05 04:42 2,432 ——— C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-09-22 14:26 . 2008-09-22 14:27 <DIR> d——– C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-09-22 14:15 . 2008-09-22 14:15 <DIR> d——– C:\Program Files\K-Lite Codec Pack
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\MSN6
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-16 16:36 . 2008-09-16 16:36 <DIR> d——– C:\Program Files\MSXML 4.0
    2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Canon
    2008-09-15 17:21 . 2008-09-15 17:21 25 –a—— C:\WINDOWS\mixerdef.ini
    2008-09-15 17:17 . 2008-09-15 17:17 <DIR> d——– C:\Program Files\GNU
    2008-09-15 17:16 . 2008-09-26 13:14 116 –a—— C:\WINDOWS\NeroDigital.ini
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Program Files\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\All Users\Application Data\GRETECH
    2008-09-15 16:39 . 2008-09-22 15:26 <DIR> d——– C:\Program Files\FrostWire
    2008-09-15 16:39 . 2008-09-15 16:39 <DIR> d——– C:\Documents and Settings\Jaap\Incomplete
    2008-09-15 16:39 . 2008-10-05 12:31 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\FrostWire
    2008-09-15 15:59 . 2008-09-15 15:59 <DIR> d——– C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Program Files\Common Files\ScanSoft Shared
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-15 15:56 . 2008-09-15 15:56 412 –a—— C:\WINDOWS\MAXLINK.INI
    2008-09-15 15:55 . 2008-09-15 15:55 <DIR> d——– C:\Program Files\ScanSoft
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\WINDOWS\system32\CanonIJ Uninstaller Information
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Program Files\CanonBJ
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Documents and Settings\All Users\Application Data\CanonBJ
    2008-09-15 15:52 . 2007-03-18 22:00 215,040 –a—— C:\WINDOWS\system32\CNMLM8S.DLL
    2008-09-15 15:51 . 2008-09-15 15:59 <DIR> d——– C:\Program Files\Canon
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-09-15 15:47 . 2008-04-13 20:45 32,128 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2008-09-15 15:47 . 2008-04-13 20:47 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2008-09-15 15:27 . 2008-09-15 15:27 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Ahead
    2008-09-15 15:26 . 2008-09-15 15:26 <DIR> d——– C:\Program Files\Nero
    2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d——– C:\Program Files\Common Files\Ahead
    2008-09-15 14:46 . 2006-11-17 05:40 18,804,736 –a—— C:\WINDOWS\system32\alsndmgr.cpl
    2008-09-15 14:46 . 2006-12-08 15:20 10,528,768 –a—— C:\WINDOWS\system32\RTLCPL.exe
    2008-09-15 14:46 . 2008-08-06 15:45 4,122,112 -ra—— C:\WINDOWS\system32\drivers\alcxwdm.sys
    2008-09-15 14:46 . 2007-04-16 15:28 577,536 –a—— C:\WINDOWS\soundman.exe
    2008-09-15 14:46 . 2006-10-18 02:53 147,456 –a—— C:\WINDOWS\system32\RtlCPAPI.dll
    2008-09-15 14:46 . 2002-02-05 13:54 141,016 –a—— C:\WINDOWS\system32\alsndmgr.wav
    2008-09-15 14:46 . 2006-08-01 15:02 49,152 –a—— C:\WINDOWS\system32\ChCfg.exe
    2008-09-15 14:45 . 2008-09-15 14:45 <DIR> d——– C:\Program Files\Realtek AC97
    2008-09-15 14:44 . 2006-07-31 11:19 315,392 –a—— C:\WINDOWS\alcupd.exe
    2008-09-15 14:44 . 2006-07-31 11:27 217,088 –a—— C:\WINDOWS\alcrmv.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-09 11:16 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg8
    2008-09-15 13:56 ——— d—–w C:\Program Files\Common Files\InstallShield
    2008-09-15 12:44 ——— d–h–w C:\Program Files\InstallShield Installation Information
    2008-09-13 11:10 97,928 —-a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-09-13 11:10 76,040 —-a-w C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-09-13 11:10 10,520 —-a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-09-11 18:39 ——— d—–w C:\Program Files\Java
    2008-09-11 18:38 ——— d—–w C:\Program Files\Common Files\Java
    2008-09-11 18:24 ——— d—–w C:\Program Files\Foxit Software
    2008-09-11 16:10 ——— d—–w C:\Documents and Settings\All Users\Application Data\IM
    2008-09-11 16:08 ——— d—–w C:\Program Files\IncrediMail
    2008-09-11 16:07 ——— d—–w C:\Documents and Settings\All Users\Application Data\IncrediMail
    2008-09-11 14:30 ——— d—–w C:\Program Files\AVG
    2008-09-11 14:25 ——— d—–w C:\Program Files\Keyboard
    2008-09-11 12:32 ——— d—–w C:\Documents and Settings\All Users\Application Data\NVIDIA
    2008-09-11 12:26 315,392 —-a-w C:\WINDOWS\HideWin.exe
    2008-09-11 12:09 ——— d—–w C:\Program Files\microsoft frontpage
    2008-07-25 08:34 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-07-25 08:34 683,520 —-a-w C:\WINDOWS\system32\divx.dll
    2008-07-23 16:50 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-07-18 20:10 94,920 —-a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 20:10 53,448 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 20:10 45,768 —-a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 20:10 36,552 —-a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 20:09 563,912 —-a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 20:09 325,832 —-a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 20:09 205,000 —-a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 20:09 1,811,656 —-a-w C:\WINDOWS\system32\wuaueng.dll
    .

    ——- Sigcheck ——-

    2008-04-14 19:03 14336 e410ec73e2be2a41d923b006f51c8427 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

    2008-04-14 19:03 510464 1247d4d5444e28519bbe31be8ab4c029 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

    md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
    2008-04-14 19:02 1037312 aa04f042a820bf1868e643575887e1a6 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

    2008-04-14 19:03 109056 b77bc5cd88eb96d4352af5202ec4aec2 C:\WINDOWS\ServicePackFiles\i386\services.exe
    md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

    2008-04-14 19:03 13312 8754210a3399d19610ce2d71e0c3e5d9 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

    2008-04-14 19:03 57856 db454135de1a09fe7feda7b554b5cca2 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
    2008-04-14 19:03 58880 27bb7950fa78513a287fb6abab3b910f C:\WINDOWS\system32\spoolsv.exe
    .
    ((((((((((((((((((((((((((((( snapshot@2008-10-13_11.58.24.39 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-11 10:08:41 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-10-13 10:05:53 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
    "RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [BU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-31 7634944]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-31 86016]
    "iKeyWorks"="C:\PROGRA~1\Keyboard\Ikeymain.exe" [2002-11-22 73728]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"= {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll [2008-04-14 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    –a—— 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=

    S1 47c270d4;47c270d4;C:\WINDOWS\system32\drivers\47c270d4.sys [2008-10-13 104414]
    S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-13 97928]
    S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-13 875288]
    S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-13 231704]
    S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-13 76040]
    S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
    S2 mbamdrvservice;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-09-10 17200]
    S2 MBAMService;MBAMService;C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe [2008-09-10 110256]
    S2 rznvrrnn;rznvrrnn;C:\WINDOWS\system32\drivers\rznvrrnn.sys [ ]
    .
    .
    ——- Bijkomende Scan ——-
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.startpagina.nl/
    R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/
    R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://www.google.com/
    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
    O8 -: E&xporteren naar Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-13 12:19:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-10-13 12:20:37
    ComboFix-quarantined-files.txt 2008-10-13 10:20:19

    Pre-Run: 46,699,016,192 bytes beschikbaar
    Post-Run: 46,689,488,896 bytes beschikbaar

    224 — E O F — 2008-09-23 08:49:58


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:47, on 2008-10-13
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\Utilities\Totalcmd\TOTALCMD.EXE
    D:\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221139598308
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)


    End of file - 4871 bytes

    Ik hoop dat je hier verder mee komt.
    PS. Wat mij op valt is het volgende: Als ik de pc in Veilige modus opstart is er nog steeds de mogelijkheid omin de recover console op te starten. Is dit normaal??

    PS. Ik kwam er zopas achter dat de logje oproepbaar zijn in MBam zelf. Hier alsnog de laatste van zaterdag.

    Malwarebytes' Anti-Malware 1.28
    Database versie: 1134
    Windows 5.1.2600 Service Pack 3

    10-10-2008 16:18:42
    mbam-log-2008-10-10 (16-18-42).txt

    Scan type: Snelle Scan
    Objecten gescand: 42240
    Verstreken tijd: 2 minute(s), 36 second(s)

    Geheugenprocessen geïnfecteerd: 1
    Geheugenmodulen geïnfecteerd: 1
    Registersleutels geïnfecteerd: 12
    Registerwaarden geïnfecteerd: 6
    Registerdata bestanden geïnfecteerd: 2
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 23

    Geheugenprocessen geïnfecteerd:
    C:\WINDOWS\system32\lphctq3j0elf5.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Geheugenmodulen geïnfecteerd:
    C:\WINDOWS\system32\blphctq3j0elf5.scr (Trojan.FakeAlert) -> Delete on reboot.

    Registersleutels geïnfecteerd:
    HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{0354731f-950c-4a53-bc2b-132b5ee6b0fa} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0354731f-950c-4a53-bc2b-132b5ee6b0fa} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc (Trojan.MyDoom) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

    Registerwaarden geïnfecteerd:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctq3j0elf5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Registerdata bestanden geïnfecteerd:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Mappen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:
    C:\WINDOWS\system32\912525\912525.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\Drivers\rznvrrnn.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\blphctq3j0elf5.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lphctq3j0elf5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phctq3j0elf5.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Jaap\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
  • Het ene probleem nauwelijks opgelost of een vriend komt met de volgende. Het betreft hier een vrijwel nieuwe pc die volgens zijn bericht melding gaf van spyware en niet meer wilde opstarten. Ik heb vanmiddag eens gekeken en Malwarebytes gedraaid. Die vond maar liefst 45 besmettingen! Hoe hij het voor elkaar heeft gekregen is mij een raadsel maar ze waren er in allerlei soorten en maten. MB heeft alles verwijdert en het leek ok. Helaas krijgen we echter geen internet verbinding meer. Bij Netwerken is alles leeg en er is ook geen ip adres meer. Provider (chello) biedt geen oplossing en zegt dat het aan de pc ligt. Ik sluit dit inderdaad niet uit gezien de laatste 2 023 gevallen in de log. Heb echter niet de kennis om dit klakkeloos te durven verwijderen. Wil iemand zo vriendelijk zijn eens even naar deze log te kijken? Bij voorbaat mijn dank.

    PS. Deze files staan overigens niet in de door HijackThis genoemde map en worden door MB ook met een volledige scan niet gevonden.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:39:32, on 10-10-2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\Keyboard\Ikeymain.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Utilities\Totalcmd\TOTALCMD.EXE
    C:\WINDOWS\system32\drwtsn32.exe
    D:\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221139598308
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: psyche - Unknown owner - C:\WINDOWS\System32\psyche.exe
    O23 - Service: PsycheEnqueue - Unknown owner - C:\WINDOWS\System32\PsycheEnqueue.exe


    End of file - 6209 bytes
  • Zitten nog wel wat problemen in het logje. Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

    [b:dde1c7fb68]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll[/b:dde1c7fb68]

    Klik op 'Fix checked' om de items te verwijderen.

    En dan zit je nog met twee service 023-lijnen die behoorlijk link zijn :

    O23 - Service: psyche - Unknown owner - C:\WINDOWS\System32\[b:dde1c7fb68]psyche.exe[/b:dde1c7fb68]
    O23 - Service: PsycheEnqueue - Unknown owner - C:\WINDOWS\System32\[b:dde1c7fb68]PsycheEnqueue.exe[/b:dde1c7fb68]

    Beiden moeten – dringend – verwijderd worden. En laat dan eens horen of er verbetering merkbaar is ?
  • KAPE bedankt voor je reactie. Ik ben vanmorgen snel even naar mijn vriend gereden om de door jouw aangereikte middelen uit te proberen, met het volgende resultaat. Na de genoemde zaken te hebben verwijdert startte Windows (XP) niet meer op. Na het "Welkom" scherm duurt het een poosje en verschijnt een donkerblauw scherm waarna er niets meer gebeurt. Het lampje van de harde schijf blijft overigens wel knipperen.
    De PC opgestart in veilige modus met internet mogelijkheden, en waarachtig dit lukte, ook was de internet verbinding weer paraat. Dit gaf de gelegenheid om MB nogmaals te draaien maar nu met de laatste updates. Weer werden er 21 besmettingen gevonden, w.o. de achtergebleven 021 en de 023 service. MB gaf aan deze te verwijderen maar na een herstart zijn ze zoals de log laat zien weer terug. Kortom: die twee blijven terugkomen en opstarten is nog steeds alleen mogelijk in de veilige modus. Heb je wellicht nog een idee hoe die twee rakkers weg te krijgen?

    Edit: de 023 service geeft nu aan: file missing. Was bij de eerste log niet het geval hoewel de file naar mijn mening fysiek niet aanwezig was.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:15:27, on 11-10-2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Utilities\Totalcmd\TOTALCMD.EXE
    D:\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Utilities\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221139598308
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: psyche - Unknown owner - C:\WINDOWS\System32\psyche.exe (file missing)


    End of file - 5023 bytes
  • Nu is me duidelijk waarom een aantal items die Malwarebytes normaal had moeten opruimen, nog in het log aanwezig waren. Het was geen up-to-date-versie die je daarvoor gebruikt had.

    Zou het trouwens mogelijk zijn om dat laatste log van MBAM eens in een volgend bericht te zetten, om een idee te krijgen van de verwijderingen die gebeurd zijn.

    Ondertussen mag je met HJT volgende items laten fixen :

    [b:4348a913da]O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: psyche - Unknown owner - C:\WINDOWS\System32\psyche.exe (file missing) [/b:4348a913da]

    Het zou kunnen kloppen dat die psyche.exe (waarschijnlijk verwijderd door MBAM) niet meer te vinden is op de PC. Dat lijkt me zelfs een zekerheid te zijn :) De andere foute service PsycheEnqueue.exe is zelfs al helemaal opgeruimd. Toch wat goed nieuws :D

    Dan mag je volgende vetgedrukt bestand met Windows Verkenner laten verwijderen :

    C:\WINDOWS\system32\[b:4348a913da]zh.dll[/b:4348a913da]

    En dan - indien het lukt - een nieuw log van HJT en het hogergenoemde MBAM-logje in een volgend bericht. Met uiteraard weer een verslag van de stand van zaken ?
  • Geweldig bedankt voor je opnieuw snelle reactie. Mooi dat er mensen zijn die ook in het weekend klaar staan voor andermans problemen!
    Ik denk dat ik mijn vriend vraag zijn pc bij mij neer te zetten omdat ik steeds naar de andere kant van de stad moet rijden om iets uit te proberen. Met de door jouw aangereikte suggestie kom ik overigens niet verder. Beide 023 services waren vanaf het begin (ook met ingestelde verborgen bestanden) niet te vinden in de genoemde map. Waarom nu wordt aangegeven "file missing" is mij dan ook een raadsel. Wat betreft de andere (021) die krijg ik niet weg. Heb het in Total Commander en via de verkenner geprobeerd. Hier moet dus kennelijk iets zwaarder geschut voor in stelling gebracht worden. Ik moet hierbij aanmerken dat na een fix het bestand verdwenen is, echter na een herstart is het vrolijk weer terug. Helaas ben ik vanmiddag vergeten het logje van MB op mijn stick te zetten dus die kan ik helaas niet meesturen. Misschien ken je nog een optie om die hardnekkige 021 besmetting weg te krijgen? Zo niet, dan heb ik al afgesproken met mijn vriend dat hij zijn pc bij mij brengt zodat we iets adequater kunnen handelen. Ik wacht in spanning jou volgende reactie en wens je in ieder geval een fijn weekend.
    Groet, Gerard.
  • Dan zou ik opteren voor een zoektocht met Combofix. Maar misschien is het dan wel beter dat je inderdaad de PC bij jou hebt. Want ook daarna moeten er (mogelijk) weer ingrepen gebeuren … en dan is het makkelijker dat je niet telkens de stad door moet :)

    Download Combofix hier http://download.bleepingcomputer.com/sUBs/ComboFix.exe en zet het op je Bureaublad.

    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    Dubbelklik op Combofix.exe en volg de instructies, aanvaard de disclaimer door y te typen. Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
    Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.

    Indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
    Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

    Hang het log van Combofix aan je volgende bericht. En dan kunnen we misschien ook nog naar dat MBAM-log zien ?
  • Super!! Ik ga mijn vriend bellen dat hij z'n pc maar moet brengen. Dit zal op z'n vroegst a.s. maandag zijn denk ik. Zodra ik er mee aan de gang ga zal ik je gelijk op de hoogte stellen en proberen de gevraagde log's mee te sturen. Nee, ik heb Combofix nog nooit gebruikt dus dat probleem is voor ons niet aan de orde. Nogmaals bedankt maar dit weekend zul je waarschijnlijk niets meer van mij horen.

    PS. Wat betreft mijn vorige topic, ik kwam er achter dat MBAM de zaak met ingeschakelde protectie alles aanmerkelijk vertraagd. Laten we maar zeggen dat veiligheid een bepaald offer vraagt…
  • Prima … dan lees ik wel wanneer je terug "klaar voor actie" bent :D
  • Toch nog even lastig wezen op zondag. Om alvast enig inzicht te krijgen in de werking van Combofix heb ik het gedownload en wilde het op mijn pc (Vista) testen. Wat schetst echter mijn verbazing: na het dubbelklikken op de Combofix icoon zie je een klein groen voortgangsbalkje, zodra die 'vol' is gebeurt er helemaal niets meer. Geen enkele melding of wat dan ook. Komt dit door Vista of is er iets anders aan de hand?
  • Kijk even hier voor de handleiding voor het correcte gebruik van Combofix : http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden ook bij Vista.
  • Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:a11b68f33d]File::
    C:\WINDOWS\system32\otdgegut.tmp
    C:\WINDOWS\system32\drivers\47c270d4.sys

    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad][/b:a11b68f33d]

    Sla dit bestand op je bureaublad op als CFScript.txt.

    Sleep [b:a11b68f33d]CFScript.txt[/b:a11b68f33d] in ComboFix.exe
    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

    Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

    [b:a11b68f33d]O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)[/b:a11b68f33d]

    Klik op 'Fix checked' om de items te verwijderen.

    Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis. En laat meteen weten of je nog problemen opmerkt ?
  • Het CFScript uitgevoerd. Zowel 021 als 023 zijn niet te verwojderen met HijackThis. 021 is wel- en de 023 service niet fysiek aanwezig.

    Hier de log's

    ComboFix 08-10-11.04 - Jaap 2008-10-13 14:01:25.2 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.732 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\Jaap\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: C:\Documents and Settings\Jaap\Bureaublad\CFScript.txt
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))))
    .

    2008-10-13 13:50 . 2008-10-13 13:50 <DIR> dr-h—– C:\Documents and Settings\Jaap\Onlangs geopend
    2008-10-13 13:47 . 2008-10-13 13:47 <DIR> d——– C:\Program Files\VS Revo Group
    2008-10-13 11:27 . 2001-09-06 19:04 12,288 –a—— C:\WINDOWS\system32\drivers\mouhid.sys
    2008-10-13 11:27 . 2008-04-13 20:45 10,368 –a—— C:\WINDOWS\system32\drivers\hidusb.sys
    2008-10-11 13:00 . 2008-09-10 00:04 38,528 –a—— C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-11 12:58 . 2008-09-10 00:03 17,200 –a—— C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-11 12:55 . 2008-09-11 14:06 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Onlangs geopend
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Mijn documenten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Favorieten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
    2008-10-11 12:55 . 2008-10-11 12:55 <DIR> d——– C:\Documents and Settings\Administrator
    2008-10-11 12:43 . 2008-10-11 12:43 <DIR> d——– C:\Program Files\InCode Solutions
    2008-10-11 12:34 . 2008-10-11 12:34 <DIR> d–h-c— C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Malwarebytes
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-07 19:57 . 2008-10-13 13:44 104,414 –a—— C:\WINDOWS\system32\drivers\47c270d4.sys
    2008-10-06 13:34 . 2008-10-06 13:34 29 –a—— C:\WINDOWS\system32\otdgegut.tmp
    2008-09-22 15:09 . 2008-09-22 15:14 <DIR> d——– C:\Program Files\Picasa2
    2008-09-22 15:09 . 2008-09-22 15:09 <DIR> d——– C:\Program Files\Google
    2008-09-22 15:09 . 2006-10-05 04:42 2,560 ——— C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-09-22 15:09 . 2006-10-05 04:42 2,432 ——— C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-09-22 14:26 . 2008-09-22 14:27 <DIR> d——– C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-09-22 14:15 . 2008-09-22 14:15 <DIR> d——– C:\Program Files\K-Lite Codec Pack
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\MSN6
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-16 16:36 . 2008-09-16 16:36 <DIR> d——– C:\Program Files\MSXML 4.0
    2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Canon
    2008-09-15 17:21 . 2008-09-15 17:21 25 –a—— C:\WINDOWS\mixerdef.ini
    2008-09-15 17:17 . 2008-09-15 17:17 <DIR> d——– C:\Program Files\GNU
    2008-09-15 17:16 . 2008-09-26 13:14 116 –a—— C:\WINDOWS\NeroDigital.ini
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Program Files\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\All Users\Application Data\GRETECH
    2008-09-15 16:39 . 2008-09-22 15:26 <DIR> d——– C:\Program Files\FrostWire
    2008-09-15 16:39 . 2008-09-15 16:39 <DIR> d——– C:\Documents and Settings\Jaap\Incomplete
    2008-09-15 16:39 . 2008-10-05 12:31 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\FrostWire
    2008-09-15 15:59 . 2008-09-15 15:59 <DIR> d——– C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Program Files\Common Files\ScanSoft Shared
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-15 15:56 . 2008-09-15 15:56 412 –a—— C:\WINDOWS\MAXLINK.INI
    2008-09-15 15:55 . 2008-09-15 15:55 <DIR> d——– C:\Program Files\ScanSoft
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\WINDOWS\system32\CanonIJ Uninstaller Information
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Program Files\CanonBJ
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Documents and Settings\All Users\Application Data\CanonBJ
    2008-09-15 15:52 . 2007-03-18 22:00 215,040 –a—— C:\WINDOWS\system32\CNMLM8S.DLL
    2008-09-15 15:51 . 2008-09-15 15:59 <DIR> d——– C:\Program Files\Canon
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-09-15 15:47 . 2008-04-13 20:45 32,128 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2008-09-15 15:47 . 2008-04-13 20:47 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2008-09-15 15:27 . 2008-09-15 15:27 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Ahead
    2008-09-15 15:26 . 2008-09-15 15:26 <DIR> d——– C:\Program Files\Nero
    2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d——– C:\Program Files\Common Files\Ahead
    2008-09-15 14:46 . 2006-11-17 05:40 18,804,736 –a—— C:\WINDOWS\system32\alsndmgr.cpl
    2008-09-15 14:46 . 2006-12-08 15:20 10,528,768 –a—— C:\WINDOWS\system32\RTLCPL.exe
    2008-09-15 14:46 . 2008-08-06 15:45 4,122,112 -ra—— C:\WINDOWS\system32\drivers\alcxwdm.sys
    2008-09-15 14:46 . 2007-04-16 15:28 577,536 –a—— C:\WINDOWS\soundman.exe
    2008-09-15 14:46 . 2006-10-18 02:53 147,456 –a—— C:\WINDOWS\system32\RtlCPAPI.dll
    2008-09-15 14:46 . 2002-02-05 13:54 141,016 –a—— C:\WINDOWS\system32\alsndmgr.wav
    2008-09-15 14:46 . 2006-08-01 15:02 49,152 –a—— C:\WINDOWS\system32\ChCfg.exe
    2008-09-15 14:45 . 2008-09-15 14:45 <DIR> d——– C:\Program Files\Realtek AC97
    2008-09-15 14:44 . 2006-07-31 11:19 315,392 –a—— C:\WINDOWS\alcupd.exe
    2008-09-15 14:44 . 2006-07-31 11:27 217,088 –a—— C:\WINDOWS\alcrmv.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-13 11:54 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg8
    2008-09-15 13:56 ——— d—–w C:\Program Files\Common Files\InstallShield
    2008-09-15 12:44 ——— d–h–w C:\Program Files\InstallShield Installation Information
    2008-09-13 11:10 97,928 —-a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-09-13 11:10 76,040 —-a-w C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-09-13 11:10 10,520 —-a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-09-11 18:39 ——— d—–w C:\Program Files\Java
    2008-09-11 18:38 ——— d—–w C:\Program Files\Common Files\Java
    2008-09-11 18:24 ——— d—–w C:\Program Files\Foxit Software
    2008-09-11 16:10 ——— d—–w C:\Documents and Settings\All Users\Application Data\IM
    2008-09-11 16:08 ——— d—–w C:\Program Files\IncrediMail
    2008-09-11 16:07 ——— d—–w C:\Documents and Settings\All Users\Application Data\IncrediMail
    2008-09-11 14:25 ——— d—–w C:\Program Files\Keyboard
    2008-09-11 12:32 ——— d—–w C:\Documents and Settings\All Users\Application Data\NVIDIA
    2008-09-11 12:26 315,392 —-a-w C:\WINDOWS\HideWin.exe
    2008-09-11 12:09 ——— d—–w C:\Program Files\microsoft frontpage
    2008-07-25 08:34 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-07-25 08:34 683,520 —-a-w C:\WINDOWS\system32\divx.dll
    2008-07-23 16:50 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-07-18 20:10 94,920 —-a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 20:10 53,448 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 20:10 45,768 —-a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 20:10 36,552 —-a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 20:09 563,912 —-a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 20:09 325,832 —-a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 20:09 205,000 —-a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 20:09 1,811,656 —-a-w C:\WINDOWS\system32\wuaueng.dll
    .

    ——- Sigcheck ——-

    2008-04-14 19:03 14336 e410ec73e2be2a41d923b006f51c8427 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

    2008-04-14 19:03 510464 1247d4d5444e28519bbe31be8ab4c029 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

    md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
    2008-04-14 19:02 1037312 aa04f042a820bf1868e643575887e1a6 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

    2008-04-14 19:03 109056 b77bc5cd88eb96d4352af5202ec4aec2 C:\WINDOWS\ServicePackFiles\i386\services.exe
    md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

    2008-04-14 19:03 13312 8754210a3399d19610ce2d71e0c3e5d9 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

    2008-04-14 19:03 57856 db454135de1a09fe7feda7b554b5cca2 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
    2008-04-14 19:03 58880 27bb7950fa78513a287fb6abab3b910f C:\WINDOWS\system32\spoolsv.exe
    .
    ((((((((((((((((((((((((((((( snapshot@2008-10-13_11.58.24.39 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-11 10:08:41 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-10-13 10:05:53 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-31 7634944]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-31 86016]
    "iKeyWorks"="C:\PROGRA~1\Keyboard\Ikeymain.exe" [2002-11-22 73728]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

    "nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"= {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll [2008-04-14 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    –a—— 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=

    S1 47c270d4;47c270d4;C:\WINDOWS\system32\drivers\47c270d4.sys [2008-10-13 104414]
    S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-13 97928]
    S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [ ]
    S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [ ]
    S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-13 76040]
    S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
    S2 mbamdrvservice;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-09-10 17200]
    S2 MBAMService;MBAMService;C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe [2008-09-10 110256]
    S2 rznvrrnn;rznvrrnn;C:\WINDOWS\system32\drivers\rznvrrnn.sys [ ]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-13 14:05:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-10-13 14:06:38
    ComboFix-quarantined-files.txt 2008-10-13 12:06:24
    ComboFix2.txt 2008-10-13 10:20:38

    Pre-Run: 46,691,725,312 bytes beschikbaar
    Post-Run: 46,682,112,000 bytes beschikbaar

    195 — E O F — 2008-09-23 08:49:58


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:14, on 2008-10-13
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Utilities\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Keyboard\Ikeymain.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\IncrediMail\bin\IMApp.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Utilities\Totalcmd\TOTALCMD.EXE
    D:\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221139598308
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
    O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)



    End of file - 5474 bytes


    De computer is ondertussen wel sneller geworden. Start -zij het traag- in de normale modus op. Internet werkt gewoon. Het geheel is echter nog steeds aanmerkelijk trager als voorheen. Ook is de AVG virus scanner om zeep geholpen. Kan die niet meer deïnstalleren of installeren. Dit is echter van later zorg.
  • Zou je de procedure met Combofix nog eens willen herhalen, want die heeft - om één of andere onduidelijke reden - zijn werk niet gedaan.
  • Inderdaad zag ik verschil met het draaien van Combofix. Er kwam een melding van het verwijderen van de bovenste twee vetgedrukte regels.
    Die 021 krijg ik nog steeds niet weg. Soms even weg en na een nieuwe scan weer terug. 023 heeft kennelijk de moed opgegeven.
    Hier de nieuwe log's.

    ComboFix 08-10-12.01 - Jaap 2008-10-13 15:23:34.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.578 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\Jaap\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: C:\Documents and Settings\Jaap\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE ::
    C:\WINDOWS\system32\drivers\47c270d4.sys
    C:\WINDOWS\system32\otdgegut.tmp
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drivers\47c270d4.sys
    C:\WINDOWS\system32\otdgegut.tmp

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ——-\Service_47c270d4


    (((((((((((((((((((( Bestanden Gemaakt van 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))))
    .

    2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d——– C:\Program Files\Avira
    2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Avira
    2008-10-13 13:50 . 2008-10-13 14:15 <DIR> dr-h—– C:\Documents and Settings\Jaap\Onlangs geopend
    2008-10-13 13:47 . 2008-10-13 13:47 <DIR> d——– C:\Program Files\VS Revo Group
    2008-10-13 11:27 . 2001-09-06 19:04 12,288 –a—— C:\WINDOWS\system32\drivers\mouhid.sys
    2008-10-13 11:27 . 2008-04-13 20:45 10,368 –a—— C:\WINDOWS\system32\drivers\hidusb.sys
    2008-10-11 13:00 . 2008-09-10 00:04 38,528 –a—— C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-11 12:58 . 2008-09-10 00:03 17,200 –a—— C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-11 12:55 . 2008-09-11 14:06 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Onlangs geopend
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Mijn documenten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Favorieten
    2008-10-11 12:55 . 2008-10-13 14:28 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
    2008-10-11 12:55 . 2008-10-11 12:55 <DIR> d——– C:\Documents and Settings\Administrator
    2008-10-11 12:43 . 2008-10-11 12:43 <DIR> d——– C:\Program Files\InCode Solutions
    2008-10-11 12:34 . 2008-10-11 12:34 <DIR> d–h-c— C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Malwarebytes
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-22 15:09 . 2008-09-22 15:14 <DIR> d——– C:\Program Files\Picasa2
    2008-09-22 15:09 . 2008-09-22 15:09 <DIR> d——– C:\Program Files\Google
    2008-09-22 15:09 . 2006-10-05 04:42 2,560 ——— C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-09-22 15:09 . 2006-10-05 04:42 2,432 ——— C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-09-22 14:26 . 2008-09-22 14:27 <DIR> d——– C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-09-22 14:15 . 2008-09-22 14:15 <DIR> d——– C:\Program Files\K-Lite Codec Pack
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\MSN6
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-16 16:36 . 2008-09-16 16:36 <DIR> d——– C:\Program Files\MSXML 4.0
    2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Canon
    2008-09-15 17:21 . 2008-09-15 17:21 25 –a—— C:\WINDOWS\mixerdef.ini
    2008-09-15 17:17 . 2008-09-15 17:17 <DIR> d——– C:\Program Files\GNU
    2008-09-15 17:16 . 2008-09-26 13:14 116 –a—— C:\WINDOWS\NeroDigital.ini
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Program Files\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\All Users\Application Data\GRETECH
    2008-09-15 16:39 . 2008-09-22 15:26 <DIR> d——– C:\Program Files\FrostWire
    2008-09-15 16:39 . 2008-09-15 16:39 <DIR> d——– C:\Documents and Settings\Jaap\Incomplete
    2008-09-15 16:39 . 2008-10-05 12:31 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\FrostWire
    2008-09-15 15:59 . 2008-09-15 15:59 <DIR> d——– C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Program Files\Common Files\ScanSoft Shared
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-15 15:56 . 2008-09-15 15:56 412 –a—— C:\WINDOWS\MAXLINK.INI
    2008-09-15 15:55 . 2008-09-15 15:55 <DIR> d——– C:\Program Files\ScanSoft
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\WINDOWS\system32\CanonIJ Uninstaller Information
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Program Files\CanonBJ
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Documents and Settings\All Users\Application Data\CanonBJ
    2008-09-15 15:52 . 2007-03-18 22:00 215,040 –a—— C:\WINDOWS\system32\CNMLM8S.DLL
    2008-09-15 15:51 . 2008-09-15 15:59 <DIR> d——– C:\Program Files\Canon
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-09-15 15:47 . 2008-04-13 20:45 32,128 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2008-09-15 15:47 . 2008-04-13 20:47 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2008-09-15 15:27 . 2008-09-15 15:27 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Ahead
    2008-09-15 15:26 . 2008-09-15 15:26 <DIR> d——– C:\Program Files\Nero
    2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d——– C:\Program Files\Common Files\Ahead
    2008-09-15 14:46 . 2006-11-17 05:40 18,804,736 –a—— C:\WINDOWS\system32\alsndmgr.cpl
    2008-09-15 14:46 . 2006-12-08 15:20 10,528,768 –a—— C:\WINDOWS\system32\RTLCPL.exe
    2008-09-15 14:46 . 2008-08-06 15:45 4,122,112 -ra—— C:\WINDOWS\system32\drivers\alcxwdm.sys
    2008-09-15 14:46 . 2007-04-16 15:28 577,536 –a—— C:\WINDOWS\soundman.exe
    2008-09-15 14:46 . 2006-10-18 02:53 147,456 –a—— C:\WINDOWS\system32\RtlCPAPI.dll
    2008-09-15 14:46 . 2002-02-05 13:54 141,016 –a—— C:\WINDOWS\system32\alsndmgr.wav
    2008-09-15 14:46 . 2006-08-01 15:02 49,152 –a—— C:\WINDOWS\system32\ChCfg.exe
    2008-09-15 14:45 . 2008-09-15 14:45 <DIR> d——– C:\Program Files\Realtek AC97
    2008-09-15 14:44 . 2006-07-31 11:19 315,392 –a—— C:\WINDOWS\alcupd.exe
    2008-09-15 14:44 . 2006-07-31 11:27 217,088 –a—— C:\WINDOWS\alcrmv.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-13 11:54 ——— d—–w C:\Documents and Settings\All Users\Application Data\avg8
    2008-09-15 13:56 ——— d—–w C:\Program Files\Common Files\InstallShield
    2008-09-15 12:44 ——— d–h–w C:\Program Files\InstallShield Installation Information
    2008-09-13 11:10 97,928 —-a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-09-13 11:10 76,040 —-a-w C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-09-13 11:10 10,520 —-a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-09-11 18:39 ——— d—–w C:\Program Files\Java
    2008-09-11 18:38 ——— d—–w C:\Program Files\Common Files\Java
    2008-09-11 18:24 ——— d—–w C:\Program Files\Foxit Software
    2008-09-11 16:10 ——— d—–w C:\Documents and Settings\All Users\Application Data\IM
    2008-09-11 16:08 ——— d—–w C:\Program Files\IncrediMail
    2008-09-11 16:07 ——— d—–w C:\Documents and Settings\All Users\Application Data\IncrediMail
    2008-09-11 14:25 ——— d—–w C:\Program Files\Keyboard
    2008-09-11 12:32 ——— d—–w C:\Documents and Settings\All Users\Application Data\NVIDIA
    2008-09-11 12:26 315,392 —-a-w C:\WINDOWS\HideWin.exe
    2008-09-11 12:09 ——— d—–w C:\Program Files\microsoft frontpage
    2008-07-25 08:34 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-07-25 08:34 683,520 —-a-w C:\WINDOWS\system32\divx.dll
    2008-07-23 16:50 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-07-18 20:10 94,920 —-a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 20:10 53,448 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 20:10 45,768 —-a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 20:10 36,552 —-a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 20:09 563,912 —-a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 20:09 325,832 —-a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 20:09 205,000 —-a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 20:09 1,811,656 —-a-w C:\WINDOWS\system32\wuaueng.dll
    .

    ——- Sigcheck ——-

    2008-04-14 19:03 14336 e410ec73e2be2a41d923b006f51c8427 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

    2008-04-14 19:03 510464 1247d4d5444e28519bbe31be8ab4c029 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

    md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
    2008-04-14 19:02 1037312 aa04f042a820bf1868e643575887e1a6 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

    2008-04-14 19:03 109056 b77bc5cd88eb96d4352af5202ec4aec2 C:\WINDOWS\ServicePackFiles\i386\services.exe
    md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

    2008-04-14 19:03 13312 8754210a3399d19610ce2d71e0c3e5d9 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

    2008-04-14 19:03 57856 db454135de1a09fe7feda7b554b5cca2 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
    md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
    .
    ((((((((((((((((((((((((((((( snapshot@2008-10-13_11.58.24.39 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-11 10:08:41 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-10-13 10:05:53 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-05-09 11:15:51 45,376 —-a-w C:\WINDOWS\system32\drivers\avgntdd.sys
    + 2008-01-21 16:11:28 22,336 —-a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
    + 2008-06-27 13:03:55 75,072 —-a-w C:\WINDOWS\system32\drivers\avipbb.sys
    + 2007-03-01 08:34:22 28,352 —-a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
    "RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [BU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-31 7634944]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-31 86016]
    "iKeyWorks"="C:\PROGRA~1\Keyboard\Ikeymain.exe" [2002-11-22 73728]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"= {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll [2008-04-14 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    –a—— 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-13 97928]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-13 76040]
    R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
    R2 mbamdrvservice;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-09-10 17200]
    R2 mbamservice;MBAMService;C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe [2008-09-10 110256]
    S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [ ]
    S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [ ]
    S2 rznvrrnn;rznvrrnn;C:\WINDOWS\system32\drivers\rznvrrnn.sys [ ]
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-13 15:29:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ———————— Andere Aktieve Processen ————————
    .
    C:\WINDOWS\system32\scardsvr.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Keyboard\Ikeymain.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\IncrediMail\bin\ImApp.exe
    C:\Utilities\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    .
    **************************************************************************
    .
    Voltooingstijd: 2008-10-13 15:32:21 - machine werd herstart [Jaap]
    ComboFix-quarantined-files.txt 2008-10-13 13:32:13
    ComboFix2.txt 2008-10-13 12:06:39
    ComboFix3.txt 2008-10-13 10:20:38

    Pre-Run: 46,615,797,760 bytes beschikbaar
    Post-Run: 46,605,328,384 bytes beschikbaar

    227 — E O F — 2008-09-23 08:49:58


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:35:49, on 13-10-2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\Keyboard\Ikeymain.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\IncrediMail\bin\IMApp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Utilities\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\WINDOWS\explorer.exe
    C:\Utilities\Totalcmd\TOTALCMD.EXE
    D:\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221139598308
    O20 - AppInit_DLLs: avgrsstx.dll
    O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
    O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: MBAMService (mbamservice) - Malwarebytes Corporation - C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    End of file - 5941 bytes
  • Volgende poging :

    Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:985ff4fc0e]Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"=-[/b:985ff4fc0e]

    Sla dit bestand op je bureaublad op als CFScript.txt.

    Sleep CFScript.txt in ComboFix.exe
    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

    Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

    [b:985ff4fc0e]O21 - SSODL: eESME - {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll [/b:985ff4fc0e]

    Klik op 'Fix checked' om de items te verwijderen.

    Post na herstart de inhoud van de Combofix.txt in je volgende bericht en laat maar even weten of die 021-lijn nu wel de geest gegeven heeft ?
  • Het lukt maar niet… Na de fix lijkt hij weg en na een nieuwe scan is het met de zelfde gang weer terug.
    Hier alleen de Combofix log.

    ComboFix 08-10-12.01 - Jaap 2008-10-13 16:11:06.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.548 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\Jaap\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: C:\Documents and Settings\Jaap\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-09-13 to 2008-10-13 ))))))))))))))))))))))))))))))
    .

    2008-10-13 16:00 . 2008-10-13 16:00 <DIR> dr-h—– C:\Documents and Settings\Jaap\Onlangs geopend
    2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d——– C:\Program Files\Avira
    2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Avira
    2008-10-13 13:47 . 2008-10-13 13:47 <DIR> d——– C:\Program Files\VS Revo Group
    2008-10-13 11:27 . 2001-09-06 19:04 12,288 –a—— C:\WINDOWS\system32\drivers\mouhid.sys
    2008-10-13 11:27 . 2008-04-13 20:45 10,368 –a—— C:\WINDOWS\system32\drivers\hidusb.sys
    2008-10-11 13:00 . 2008-09-10 00:04 38,528 –a—— C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-11 12:58 . 2008-09-10 00:03 17,200 –a—— C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-11 12:55 . 2008-09-11 14:06 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Onlangs geopend
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Mijn documenten
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
    2008-10-11 12:55 . 2008-09-11 16:01 <DIR> d——– C:\Documents and Settings\Administrator\Favorieten
    2008-10-11 12:55 . 2008-10-13 14:28 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
    2008-10-11 12:55 . 2008-10-11 12:55 <DIR> d——– C:\Documents and Settings\Administrator
    2008-10-11 12:43 . 2008-10-11 12:43 <DIR> d——– C:\Program Files\InCode Solutions
    2008-10-11 12:34 . 2008-10-11 12:34 <DIR> d–h-c— C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Malwarebytes
    2008-10-10 16:11 . 2008-10-10 16:11 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-22 15:09 . 2008-09-22 15:14 <DIR> d——– C:\Program Files\Picasa2
    2008-09-22 15:09 . 2008-09-22 15:09 <DIR> d——– C:\Program Files\Google
    2008-09-22 15:09 . 2006-10-05 04:42 2,560 ——— C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-09-22 15:09 . 2006-10-05 04:42 2,432 ——— C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-09-22 14:26 . 2008-09-22 14:27 <DIR> d——– C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-09-22 14:15 . 2008-09-22 14:15 <DIR> d——– C:\Program Files\K-Lite Codec Pack
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\MSN6
    2008-09-22 13:04 . 2008-09-22 13:04 <DIR> d——– C:\Documents and Settings\All Users\Application Data\MSN6
    2008-09-16 16:36 . 2008-09-16 16:36 <DIR> d——– C:\Program Files\MSXML 4.0
    2008-09-16 10:43 . 2008-09-16 10:43 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Canon
    2008-09-15 17:21 . 2008-09-15 17:21 25 –a—— C:\WINDOWS\mixerdef.ini
    2008-09-15 17:17 . 2008-09-15 17:17 <DIR> d——– C:\Program Files\GNU
    2008-09-15 17:16 . 2008-09-26 13:14 116 –a—— C:\WINDOWS\NeroDigital.ini
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Program Files\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\GRETECH
    2008-09-15 16:45 . 2008-09-15 16:45 <DIR> d——– C:\Documents and Settings\All Users\Application Data\GRETECH
    2008-09-15 16:39 . 2008-09-22 15:26 <DIR> d——– C:\Program Files\FrostWire
    2008-09-15 16:39 . 2008-09-15 16:39 <DIR> d——– C:\Documents and Settings\Jaap\Incomplete
    2008-09-15 16:39 . 2008-10-05 12:31 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\FrostWire
    2008-09-15 15:59 . 2008-09-15 15:59 <DIR> d——– C:\Documents and Settings\All Users\Application Data\CanonIJPLM
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Program Files\Common Files\ScanSoft Shared
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\ScanSoft
    2008-09-15 15:56 . 2008-09-15 15:56 <DIR> d——– C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-09-15 15:56 . 2008-09-15 15:56 412 –a—— C:\WINDOWS\MAXLINK.INI
    2008-09-15 15:55 . 2008-09-15 15:55 <DIR> d——– C:\Program Files\ScanSoft
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\WINDOWS\system32\CanonIJ Uninstaller Information
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Program Files\CanonBJ
    2008-09-15 15:52 . 2008-09-15 15:52 <DIR> d–h—– C:\Documents and Settings\All Users\Application Data\CanonBJ
    2008-09-15 15:52 . 2007-03-18 22:00 215,040 –a—— C:\WINDOWS\system32\CNMLM8S.DLL
    2008-09-15 15:51 . 2008-09-15 15:59 <DIR> d——– C:\Program Files\Canon
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2008-09-15 15:50 . 2008-04-13 20:45 15,104 –a–c— C:\WINDOWS\system32\dllcache\usbscan.sys
    2008-09-15 15:47 . 2008-04-13 20:45 32,128 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2008-09-15 15:47 . 2008-04-13 20:47 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2008-09-15 15:27 . 2008-09-15 15:27 <DIR> d——– C:\Documents and Settings\Jaap\Application Data\Ahead
    2008-09-15 15:26 . 2008-09-15 15:26 <DIR> d——– C:\Program Files\Nero
    2008-09-15 15:26 . 2008-09-15 15:27 <DIR> d——– C:\Program Files\Common Files\Ahead
    2008-09-15 14:46 . 2006-11-17 05:40 18,804,736 –a—— C:\WINDOWS\system32\alsndmgr.cpl
    2008-09-15 14:46 . 2006-12-08 15:20 10,528,768 –a—— C:\WINDOWS\system32\RTLCPL.exe
    2008-09-15 14:46 . 2008-08-06 15:45 4,122,112 -ra—— C:\WINDOWS\system32\drivers\alcxwdm.sys
    2008-09-15 14:46 . 2007-04-16 15:28 577,536 –a—— C:\WINDOWS\soundman.exe
    2008-09-15 14:46 . 2006-10-18 02:53 147,456 –a—— C:\WINDOWS\system32\RtlCPAPI.dll
    2008-09-15 14:46 . 2002-02-05 13:54 141,016 –a—— C:\WINDOWS\system32\alsndmgr.wav
    2008-09-15 14:46 . 2006-08-01 15:02 49,152 –a—— C:\WINDOWS\system32\ChCfg.exe
    2008-09-15 14:45 . 2008-09-15 14:45 <DIR> d——– C:\Program Files\Realtek AC97
    2008-09-15 14:44 . 2006-07-31 11:19 315,392 –a—— C:\WINDOWS\alcupd.exe
    2008-09-15 14:44 . 2006-07-31 11:27 217,088 –a—— C:\WINDOWS\alcrmv.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-15 13:56 ——— d—–w C:\Program Files\Common Files\InstallShield
    2008-09-15 12:44 ——— d–h–w C:\Program Files\InstallShield Installation Information
    2008-09-13 11:10 97,928 —-a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-09-13 11:10 76,040 —-a-w C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-09-13 11:10 10,520 —-a-w C:\WINDOWS\system32\avgrsstx.dll
    2008-09-11 18:39 ——— d—–w C:\Program Files\Java
    2008-09-11 18:38 ——— d—–w C:\Program Files\Common Files\Java
    2008-09-11 18:24 ——— d—–w C:\Program Files\Foxit Software
    2008-09-11 16:10 ——— d—–w C:\Documents and Settings\All Users\Application Data\IM
    2008-09-11 16:08 ——— d—–w C:\Program Files\IncrediMail
    2008-09-11 16:07 ——— d—–w C:\Documents and Settings\All Users\Application Data\IncrediMail
    2008-09-11 14:25 ——— d—–w C:\Program Files\Keyboard
    2008-09-11 12:32 ——— d—–w C:\Documents and Settings\All Users\Application Data\NVIDIA
    2008-09-11 12:26 315,392 —-a-w C:\WINDOWS\HideWin.exe
    2008-09-11 12:09 ——— d—–w C:\Program Files\microsoft frontpage
    2008-07-25 08:34 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-07-25 08:34 683,520 —-a-w C:\WINDOWS\system32\divx.dll
    2008-07-23 16:50 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-07-18 20:10 94,920 —-a-w C:\WINDOWS\system32\cdm.dll
    2008-07-18 20:10 53,448 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 20:10 45,768 —-a-w C:\WINDOWS\system32\wups2.dll
    2008-07-18 20:10 36,552 —-a-w C:\WINDOWS\system32\wups.dll
    2008-07-18 20:09 563,912 —-a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-18 20:09 325,832 —-a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-18 20:09 205,000 —-a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-18 20:09 1,811,656 —-a-w C:\WINDOWS\system32\wuaueng.dll
    .

    ——- Sigcheck ——-

    2008-04-14 19:03 14336 e410ec73e2be2a41d923b006f51c8427 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

    2008-04-14 19:03 510464 1247d4d5444e28519bbe31be8ab4c029 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    2008-04-14 19:03 512000 10087bdb1546f02bacee40285398bcf3 C:\WINDOWS\system32\winlogon.exe

    md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
    2008-04-14 19:02 1037312 aa04f042a820bf1868e643575887e1a6 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

    2008-04-14 19:03 109056 b77bc5cd88eb96d4352af5202ec4aec2 C:\WINDOWS\ServicePackFiles\i386\services.exe
    md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

    2008-04-14 19:03 13312 8754210a3399d19610ce2d71e0c3e5d9 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

    2008-04-14 19:03 57856 db454135de1a09fe7feda7b554b5cca2 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
    md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied
    .
    ((((((((((((((((((((((((((((( snapshot@2008-10-13_11.58.24.39 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-10-11 10:08:41 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-10-13 10:05:53 16,384 —-a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
    - 2008-10-11 10:08:41 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-10-13 10:05:53 32,768 —-a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-05-09 11:15:51 45,376 —-a-w C:\WINDOWS\system32\drivers\avgntdd.sys
    + 2008-01-21 16:11:28 22,336 —-a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
    + 2008-06-27 13:03:55 75,072 —-a-w C:\WINDOWS\system32\drivers\avipbb.sys
    + 2007-03-01 08:34:22 28,352 —-a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-31 7634944]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-31 86016]
    "iKeyWorks"="C:\PROGRA~1\Keyboard\Ikeymain.exe" [2002-11-22 73728]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"= {C8FA45A0-6250-EF0A-3D98-5D40AE1325A2} - C:\WINDOWS\system32\zh.dll [2008-04-14 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.divxa32"= msaud32_divx.acm
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    –a—— 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
    "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\Program Files\\FrostWire\\FrostWire.exe"=
    "C:\\WINDOWS\\system32\\mmc.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-13 97928]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-13 76040]
    R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 101528]
    R2 mbamdrvservice;MBAMDrvService;C:\WINDOWS\system32\drivers\mbam.sys [2008-09-10 17200]
    R2 mbamservice;MBAMService;C:\Utilities\Malwarebytes' Anti-Malware\mbamservice.exe [2008-09-10 110256]
    S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [ ]
    S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [ ]
    S2 rznvrrnn;rznvrrnn;C:\WINDOWS\system32\drivers\rznvrrnn.sys [ ]

    *Newly Created Service* - CATCHME
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-13 16:15:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    PROCES: C:\WINDOWS\explorer.exe
    -> C:\WINDOWS\system32\nview.dll
    .
    Voltooingstijd: 2008-10-13 16:16:55
    ComboFix-quarantined-files.txt 2008-10-13 14:16:41
    ComboFix2.txt 2008-10-13 13:32:23
    ComboFix3.txt 2008-10-13 12:06:39
    ComboFix4.txt 2008-10-13 10:20:38

    Pre-Run: 46.593.343.488 bytes beschikbaar
    Post-Run: 46,584,324,096 bytes beschikbaar

    206 — E O F — 2008-09-23 08:49:58
  • Even dit proberen :

    Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:cda792ba76]Rootkit::
    C:\WINDOWS\system32\zh.dll

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "eESME"=-[/b:cda792ba76]

    Sla dit bestand op je bureaublad op als CFScript.txt.

    Sleep CFScript.txt in ComboFix.exe
    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

    En dan maar weer je nieuwe logje Combofix.txt en proberen die 021-lijn te fixen met HJT.

    Heb je trouwens enig idee wat die eESME zou kunnen zijn ?
  • Laat ik eerst voorop stellen dat ik het geweldig vind dat medeforummers zoveel moeite doen om een oplossing voor andermans problemen te vinden. Dat betekent overigens niet weg dat ik zelf met de armen over elkaar ga zitten afwachten. Omdat KAPE al eens aangegeven die 021 via de verkenner te verwijderen ben ik daar nogmaals ingedoken. Ik heb ooit eens het progje 'Unlock' van internet gedownload en heb geprobeerd de file hiermee te verwijderen. Dit lukte in eerste instantie niet maar na het bestand -een optie in Unlock- hernoemd te hebben lukte het om na een herstart van genoemde file af te komen. Heb diverse malen een nieuwe scan met HJT gemaakt en het blijft weg! Nauwelijks te geloven maar het lijkt echt weg te zijn. Mijn vriend was hierna dermate tevreden dat hij de pc weer mee naar huis heeft genomen waar alles ook prima werkte. Het enige probleempje was dat het geluid het af liet weten. Ik heb echter het gevel dat ik dat bij een volgend bezoek wel zal kunne oplossen. Ik hoop dan ook dat het probleem hiermee opgelost is. Mochten zich nieuwe ontwikkelingen voordoen dan open ik dit draadje opnieuw. De enige vraag die mij op dit moment nog rest is de volgende: Combofix heeft twee mappen aangemaakt op de C: schijf. Ik dacht die te kunnen verwijderen maar dat lukte niet. Klopt dit?
    Voorlopig wil ik KAPE hartelijk bedanken voor de genomen moeite en mochten zich in de toekomst weer problemen voordoen dan hoop ik op de zelfde prettige manier geholpen te worden.
    Groet, Gerard.


    Edit: De laatste melding van KAPE was mij even ontglipt. Kwam waar schijnlijk binnen op het moment dat ik met mijn bericht bezig was!

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.