Vraag & Antwoord

Beveiliging & privacy

trojan horse

Anoniem
None
20 antwoorden
  • hoi ik krijg weer trojan horse meldingen ik heb een hijackthis log bijgevoegd wie kan me helpen aub!


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 0:27:42, on 7-12-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    F2 - REG:system.ini: Shell=Explorer.exe pwlgsfi.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\system32\winupd.exe
    O4 - HKLM\..\Run: [svcroot] C:\WINDOWS\system32\pwlgsfi.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - HKCU\..\Run: [svcroot] C:\WINDOWS\system32\pwlgsfi.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.4 .lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast-data.com/data/objects/NpFv415.dll
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://data.myflatcast.com/data/objects/NpFv501.dll
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7124486-ADFD-4490-8FE5-D60395909174}: NameServer = 85.255.112.89;85.255.112.97
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


    End of file - 9873 bytes
  • Dat kan kloppen … onze Oekraiense "vrienden" hebben je te pakken gehad :D

    Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

    [b:d3758d3db3]F2 - REG:system.ini: Shell=Explorer.exe pwlgsfi.exe
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\system32\winupd.exe
    O4 - HKLM\..\Run: [svcroot] C:\WINDOWS\system32\pwlgsfi.exe
    O4 - HKCU\..\Run: [svcroot] C:\WINDOWS\system32\pwlgsfi.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7124486-ADFD-4490-8FE5-D60395909174}: NameServer = 85.255.112.89;85.255.112.97[/b:d3758d3db3]

    Klik op 'Fix checked' om de items te verwijderen.

    Download [b:d3758d3db3]MBAM (Malwarebytes' Anti-Malware)[/b:d3758d3db3] hier :
    http://www.besttechie.net/tools/mbam-setup.exe

    Dubbelklik op mbam-setup.exe om het programma te installeren.

    Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".
    Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.
    Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.
    Het scannen kan een tijdje duren, dus wees geduldig.
    Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
    Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.
    Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder)
    De log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in MBAM.

    Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken.
    Daarna zal het vragen om de computer opnieuw op te starten… dus sta toe dat MBAM de computer opnieuw opstart.

    Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.
  • de link naar mbam werkt niet misschien heb je een andere link ,heb de aangegeven dingen al verwijdert.

    alvast bedankt voor je hulp
  • [quote:d3fb41d325="kloassie"]de link naar mbam werkt niet misschien heb je een andere link ,heb de aangegeven dingen al verwijdert.[/quote:d3fb41d325] De server ligt er blijkbaar uit. Probeer deze link eens om te downloaden : http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
  • had al een setup gevonden in iedergeval bedankt!

    hier de nieuwe logs.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:34:56, on 7-12-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdzcp.exe] C:\WINDOWS\system32\kdzcp.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.4 .lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast-data.com/data/objects/NpFv415.dll
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://data.myflatcast.com/data/objects/NpFv501.dll
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


    End of file - 9303 bytes




    en de mbam log

    Malwarebytes' Anti-Malware 1.31
    Database versie: 1456
    Windows 5.1.2600 Service Pack 2

    7-12-2008 9:26:55
    mbam-log-2008-12-07 (09-26-55).txt

    Scan type: Snelle Scan
    Objecten gescand: 59411
    Verstreken tijd: 12 minute(s), 14 second(s)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 5
    Registerwaarden geïnfecteerd: 0
    Registerdata bestanden geïnfecteerd: 3
    Mappen geïnfecteerd: 1
    Bestanden geïnfecteerd: 16

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{831cbac0-8283-4653-9d81-feb9f3f6e47c} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86a44ef7-78fc-4e18-a564-b18f806f7f56} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{eb986ea8-f050-77e2-4b8d-c154bf542feb} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerdata bestanden geïnfecteerd:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdzcp.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d7124486-adfd-4490-8fe5-d60395909174}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.89;85.255.112.97 -> Delete on reboot.

    Mappen geïnfecteerd:
    C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Bestanden geïnfecteerd:
    C:\WINDOWS\system32\kdzcp.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
    C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-C5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-207.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-2B5.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-381.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-3CF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-767.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-7AD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-8A3.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-A2B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-E4B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-E9D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-EFD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-F07.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-F09.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
  • Heel wat opgeruimd, maar we zijn er nog niet helemaal.

    Wil je dit bestand : C:\WINDOWS\system32\kdzcp.exe eens opladen bij Jotti http://virusscan.jotti.org/ of Virustotal http://www.virustotal.com/nl/ en de resultaten ervan even tonen. Heb sterke twijfels over de legitieme aard van dit bestand.
  • het bestand niet vinden,ook niet met zoeken!!
  • OK, dat kan kloppen … zie nu net dat je eerst een nieuwe HiJackThis gerund hebt en daarna pas de Malwarebytes i.p.v. omgekeerd. MBAM heeft het bestand mee opgeruimd, zodat je het inderdaad niet meer kan vinden. Goed nieuws, dus.

    Dan lijken me de problemen opgelost, maar moet je nog één en ander doen om de resten van de besmetting op te ruimen : cleanen, besmette herstelpunten verwijderen en je JAVA kan een update gebruiken.

    Download CCleaner hier : http://www.majorgeeks.com/download4191.html

    Installeer het en start CCleaner op. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

    Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen. Doe dit via Start -> Configuratiescherm -> Systeem -> Systeemherstel -> "Systeemherstel op alle stations uitschakelen" aanvinken. Toepassen en OK. PC herstarten en het vinkje terug weg halen.

    [b:23355d30d0]Je Java software is verouderd.[/b:23355d30d0]
    Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
    Download Java Runtime Environment (JRE) 6u11 naar je Bureaublad

    Sluit alle programma's die eventueel open zijn - Zeker je web browser!
  • Ga dan naar [b:23355d30d0]Start[/b:23355d30d0] > [b:23355d30d0]Configuratiescherm[/b:23355d30d0] > [b:23355d30d0]Software[/b:23355d30d0] en verwijder alle oudere versies van Java uit de Softwarelijst.
  • Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
  • Klik dan op [b:23355d30d0]Verwijderen[/b:23355d30d0] of op de [b:23355d30d0]Wijzig/Verwijder[/b:23355d30d0] knop.
  • Herhaal dit tot alle oudere versies verdwenen zijn.
  • Na het verwijderen van alle oudere versies, herstart je pc.
  • Dubbelklik vervolgens op [b:23355d30d0]jre-6u11-windows-i586-p.s.exe[/b:23355d30d0] op je Bureaublad om de nieuwste versie van Java te installeren.

  • That’s it !
  • KAPE voor je hulp echt top :D
  • hoi krijg weer een melding binnen,snap der niks van hier even een log van hijack this.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:29:28, on 9-12-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.4 .lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast-data.com/data/objects/NpFv415.dll
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://data.myflatcast.com/data/objects/NpFv501.dll
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7124486-ADFD-4490-8FE5-D60395909174}: NameServer = 85.255.112.233;85.255.112.151
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


    End of file - 9749 bytes
  • Onbegrijpelijk. Je antivirus is zo lek als een zeef, zou je denken … want je zit opnieuw met de Oekraieners op je dak.

    Je mag met HiJackThis dit lijntje fixen :

    [b:478be53918]O17 - HKLM\System\CCS\Services\Tcpip\..\{D7124486-ADFD-4490-8FE5-D60395909174}: NameServer = 85.255.112.233;85.255.112.151[/b:478be53918]

    Dan weer Malwarebytes (eerst updaten) laten bollen en dat logje posten. En maak dan als extra eens een log met Combofix.

    Download [b:478be53918] naar je Bureaublad.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:478be53918]download Combofix opnieuw[/b:478be53918].
    Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen![list:478be53918]
    Dubbelklik op [b:478be53918]Combofix.exe[/b:478be53918] om het te starten.
    Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
    Volg de instructies, aanvaard de disclaimer door op [b:478be53918]Ja[/b:478be53918] te klikken.
    Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op [b:478be53918]JA[/b:478be53918] te klikken in het "Query - Recovery Console" venster.
    Klik op [b:478be53918]OK[/b:478be53918] en [b:478be53918]Ja[/b:478be53918] om automatisch de Recovery Console te laten installeren.
    Klik na afloop terug op [b:478be53918]Ja[/b:478be53918] om het scannen op malware te starten.
    Tijdens het runnen van de fix, [b:478be53918]NIET[/b:478be53918] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:478be53918]
    Wanneer de fix voltooid is en na herstart, zal de log [b:478be53918]Combofix.txt[/b:478be53918] openen.

    Post ook dit logje in je volgende antwoord.
  • malware log

    Malwarebytes' Anti-Malware 1.31
    Database versie: 1477
    Windows 5.1.2600 Service Pack 2

    9-12-2008 15:32:29
    mbam-log-2008-12-09 (15-32-29).txt

    Scan type: Snelle Scan
    Objecten gescand: 56177
    Verstreken tijd: 9 minute(s), 17 second(s)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 1
    Registerwaarden geïnfecteerd: 0
    Registerdata bestanden geïnfecteerd: 2
    Mappen geïnfecteerd: 1
    Bestanden geïnfecteerd: 4

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerdata bestanden geïnfecteerd:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdjds.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d7124486-adfd-4490-8fe5-d60395909174}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233;85.255.112.151 -> Delete on reboot.

    Mappen geïnfecteerd:
    C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Bestanden geïnfecteerd:
    C:\WINDOWS\system32\kdjds.exe (Rootkit.DNSChanger.H) -> Delete on reboot.
    C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-7E1.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\TEMP\tempo-B8B.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


    combofix log

    ComboFix 08-12-07.04 - Administrator 2008-12-09 15:43:28.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.541 [GMT 1:00]
    Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    * Resident AV is active

    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
    c:\documents and settings\All Users\Menu Start\Programma's\ADSTechnology
    c:\documents and settings\All Users\Menu Start\Programma's\ADSTechnology\ADSTechnology.lnk
    c:\documents and settings\All Users\Menu Start\Programma's\ADSTechnology\Uninstall.lnk
    c:\documents and settings\All Users\Menu Start\Programma's\Internet Explorer.lnk
    c:\windows\Downloaded Program Files\setup.inf
    c:\windows\Temp\tmp3.tmp
    C:\xcrashdump.dat
    E:\Autorun.inf
    E:\resycled
    e:\resycled\boot.com
    F:\Autorun.inf
    F:\resycled
    f:\resycled\boot.com
    H:\Autorun.inf
    H:\resycled
    h:\resycled\boot.com
    I:\Autorun.inf
    I:\resycled
    i:\resycled\boot.com
    J:\Autorun.inf
    J:\resycled
    j:\resycled\boot.com

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))
    .

    2008-12-09 15:43 . 2008-12-09 15:43 <DIR> d——– C:\quarantine
    2008-12-07 22:28 . 2008-12-07 22:28 410,984 –a—— c:\windows\system32\deploytk.dll
    2008-12-07 22:28 . 2008-12-07 22:28 73,728 –a—— c:\windows\system32\javacpl.cpl
    2008-12-07 22:27 . 2008-12-07 22:27 <DIR> d——– c:\program files\Java
    2008-12-07 22:07 . 2008-12-08 15:49 <DIR> dr-h—– c:\documents and settings\Administrator\Onlangs geopend
    2008-12-07 21:44 . 2008-12-09 15:36 <DIR> d-a—— c:\documents and settings\All Users\Application Data\TEMP
    2008-12-07 21:44 . 2008-12-07 21:44 7,513,456 –a—— C:\rminstall.exe
    2008-12-07 09:11 . 2008-12-07 09:11 1,649,976 –a—— C:\mbam-setup.exe
    2008-12-07 00:25 . 2008-12-07 00:25 812,344 –a—— C:\HJTInstall.exe
    2008-12-04 12:16 . 2008-12-04 12:16 74,282 –a—— C:\keygen_Wieser_Software_RIP_Vinyl_V3_32_3552.exe
    2008-12-04 12:16 . 2008-12-04 12:16 74,282 –a—— C:\crack_Wieser_Software_RIP_Vinyl_V3_32_3552.exe
    2008-12-04 12:16 . 2008-12-04 12:16 27,904 –a—— c:\windows\system32\drivers\ndisprot.sys
    2008-11-25 18:44 . 2008-11-25 18:44 <DIR> d——– c:\program files\Peer2Mail
    2008-11-25 18:41 . 2008-11-25 18:41 1,751,795 –a—— c:\program files\P2MSetup.exe
    2008-11-24 18:53 . 2008-11-24 18:54 <DIR> d——– c:\program files\Snow for Windows
    2008-11-20 17:27 . 2008-11-28 08:42 147,517 –a—— c:\windows\system32\winupd
    2008-11-17 16:43 . 2008-11-17 16:43 1,070,948 –a—— C:\NZBLeecher.exe
    2008-11-13 18:19 . 2008-11-13 18:20 <DIR> d——– c:\program files\Radio Toolbox
    2008-11-13 18:19 . 2008-11-13 18:19 362,312 –a—— c:\program files\rtbsetup-1-1-1.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-09 14:37 ——— d—–w c:\documents and settings\Administrator\Application Data\OpenOffice.org2
    2008-12-09 14:36 ——— d—–w c:\documents and settings\Administrator\Application Data\AdobeUM
    2008-12-08 22:30 ——— d—–w c:\documents and settings\All Users\Application Data\avg7
    2008-12-07 08:12 ——— d—–w c:\program files\Malwarebytes' Anti-Malware
    2008-12-06 10:15 ——— d—–w c:\documents and settings\Administrator\Application Data\LimeWire
    2008-12-03 18:52 38,496 —-a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-03 18:52 15,504 —-a-w c:\windows\system32\drivers\mbam.sys
    2008-11-03 17:40 ——— d—–w c:\program files\LimeWire
    2008-11-01 13:10 ——— d—–w c:\program files\Winamp
    2008-10-30 20:14 ——— d—–w c:\program files\7-Zip
    2008-10-24 11:25 455,936 —-a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-20 14:40 ——— d—–w c:\program files\UnderCoverXP
    2008-10-20 14:39 846,679 —-a-w c:\program files\undercoverxp.zip
    2008-10-17 12:17 ——— d—–w c:\program files\Rip Vinyl
    2008-10-17 12:16 ——— d—–w c:\program files\ripvinyl
    2008-10-16 13:13 202,776 —-a-w c:\windows\system32\wuweb.dll
    2008-10-16 13:13 1,809,944 —-a-w c:\windows\system32\wuaueng.dll
    2008-10-16 13:12 561,688 —-a-w c:\windows\system32\wuapi.dll
    2008-10-16 13:12 323,608 —-a-w c:\windows\system32\wucltui.dll
    2008-10-16 13:09 92,696 —-a-w c:\windows\system32\cdm.dll
    2008-10-16 13:09 51,224 —-a-w c:\windows\system32\wuauclt.exe
    2008-10-16 13:09 43,544 —-a-w c:\windows\system32\wups2.dll
    2008-10-16 13:08 34,328 —-a-w c:\windows\system32\wups.dll
    2008-10-16 13:06 268,648 —-a-w c:\windows\system32\mucltui.dll
    2008-10-16 13:06 208,744 —-a-w c:\windows\system32\muweb.dll
    2008-10-15 18:12 ——— d—–w c:\program files\FTDv3.8
    2008-10-15 18:11 2,416,301 —-a-w c:\program files\SetupFTD3.8.4.zip
    2008-10-12 16:48 2,459,395 —-a-w c:\program files\SetupFTD3.8.4.exe
    2008-09-30 15:43 1,286,152 —-a-w c:\windows\system32\msxml4.dll
    2008-09-15 15:17 1,847,040 —-a-w c:\windows\system32\win32k.sys
    2008-08-29 12:11 2,085,280 —-a-w c:\program files\mbam-setup.exe
    2007-09-03 10:08 2,320,867 —-a-w c:\program files\SetupFTD3.8.zip
    2004-03-11 11:27 40,960 —-a-w c:\program files\Uninstall_CDS.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-08 3513344]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 339968]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
    "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
    "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
    "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
    "!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
    "SoundMan"="SOUNDMAN.EXE" [2002-12-31 c:\windows\SOUNDMAN.EXE]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-13 219136]

    c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\
    OpenOffice.org 2.4 .lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
    PrintScreen.lnk - c:\program files\Gadwin Systems\PrintScreen\UNWISE.EXE [2007-06-25 164864]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-06-24 98304]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-06-25 106560]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.l3acm"= l3codecp.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Radio Toolbox\\rtb.exe"=

    R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-06-25 58464]
    R2 fssfltr;FssFltr;c:\windows\system32\DRIVERS\fssfltr.sys [2008-10-06 56344]
    R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2007-06-24 14092]
    S3 fsssvc;Windows Live Family Safety;"c:\program files\Windows Live\Family Safety\fsssvc.exe" [2008-09-04 512536]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-12-04 27904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{167ea00c-aca0-11dd-8ae8-001bfc564fcd}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com m:
    \Shell\Open\command - m:\resycled\boot.com m:

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    - - - - ORPHANS VERWIJDERD - - - -

    HKLM-Run-Cmaudio - cmicnfg.cpl


    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\IPSUploader4.ocx
    O16 -: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}
    hxxp://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    c:\windows\Downloaded Program Files\IPSUploader4.inf

    c:\windows\Downloaded Program Files\NpFv415.dll - O16 -: {E55FD215-A32E-43FE-A777-A7E8F165F551}
    hxxp://www.flatcast-data.com/data/objects/NpFv415.dll

    c:\windows\Downloaded Program Files\NpFv501.dll - O16 -: {E55FD215-A32E-43FE-A777-A7E8F165F557}
    hxxp://data.myflatcast.com/data/objects/NpFv501.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-09 15:45:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\Ati2evxx.dll
    .
    Voltooingstijd: 2008-12-09 15:47:07
    ComboFix-quarantined-files.txt 2008-12-09 14:46:52

    Pre-Run: 21.119.496.192 bytes beschikbaar
    Post-Run: 21,272,129,536 bytes beschikbaar

    WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    196 — E O F — 2008-11-12 21:50:23
  • Dit is weer een heel ander verhaal … en Combofix heeft al flink huisgehouden.

    Eerst enkele vraagjes : dit zijn voor mij onduidelijke (onbetrouwbare ?) bestanden. Of ben jij zeker dat deze wel te vertrouwen zijn ?

    [b:d0dc301fe8]C:\keygen_Wieser_Software_RIP_Vinyl_V3_32_3552.exe
    C:\crack_Wieser_Software_RIP_Vinyl_V3_32_3552.exe[/b:d0dc301fe8]

    Wil je eens melden welke bestanden er in deze map zitten ?

    c:\windows\system32\[b:d0dc301fe8]winupd[/b:d0dc301fe8]

    En dan iets om nu al uit te voeren :

    Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:d0dc301fe8]Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{167ea00c-aca0-11dd-8ae8-001bfc564fcd}][/b:d0dc301fe8]

    Sla dit bestand op je bureaublad op als CFScript.txt.

    Sleep CFScript.txt in ComboFix.exe

    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

    Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.
  • ik heb de 2 bestanden verwijdert heb iik niet nodig,dacht dat dit nieuwe versie was voor rip vinyl.

    verder de map winupd is niet te vinden in de map system32.


    combofix log

    ComboFix 08-12-07.04 - Administrator 2008-12-09 16:27:25.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.491 [GMT 1:00]
    Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: c:\documents and settings\Administrator\Bureaublad\CFScript.txt..txt
    * Nieuw herstelpunt werd aangemaakt
    * Resident AV is active

    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))
    .

    2008-12-09 15:43 . 2008-12-09 16:27 <DIR> d——– C:\quarantine
    2008-12-07 22:28 . 2008-12-07 22:28 410,984 –a—— c:\windows\system32\deploytk.dll
    2008-12-07 22:28 . 2008-12-07 22:28 73,728 –a—— c:\windows\system32\javacpl.cpl
    2008-12-07 22:27 . 2008-12-07 22:27 <DIR> d——– c:\program files\Java
    2008-12-07 22:07 . 2008-12-09 16:25 <DIR> dr-h—– c:\documents and settings\Administrator\Onlangs geopend
    2008-12-07 21:44 . 2008-12-09 15:36 <DIR> d-a—— c:\documents and settings\All Users\Application Data\TEMP
    2008-12-07 21:44 . 2008-12-07 21:44 7,513,456 –a—— C:\rminstall.exe
    2008-12-07 09:11 . 2008-12-07 09:11 1,649,976 –a—— C:\mbam-setup.exe
    2008-12-07 00:25 . 2008-12-07 00:25 812,344 –a—— C:\HJTInstall.exe
    2008-12-04 12:16 . 2008-12-04 12:16 27,904 –a—— c:\windows\system32\drivers\ndisprot.sys
    2008-11-25 18:44 . 2008-11-25 18:44 <DIR> d——– c:\program files\Peer2Mail
    2008-11-25 18:41 . 2008-11-25 18:41 1,751,795 –a—— c:\program files\P2MSetup.exe
    2008-11-24 18:53 . 2008-11-24 18:54 <DIR> d——– c:\program files\Snow for Windows
    2008-11-20 17:27 . 2008-11-28 08:42 147,517 –a—— c:\windows\system32\winupd
    2008-11-17 16:43 . 2008-11-17 16:43 1,070,948 –a—— C:\NZBLeecher.exe
    2008-11-13 18:19 . 2008-11-13 18:20 <DIR> d——– c:\program files\Radio Toolbox
    2008-11-13 18:19 . 2008-11-13 18:19 362,312 –a—— c:\program files\rtbsetup-1-1-1.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-09 14:37 ——— d—–w c:\documents and settings\Administrator\Application Data\OpenOffice.org2
    2008-12-09 14:36 ——— d—–w c:\documents and settings\Administrator\Application Data\AdobeUM
    2008-12-08 22:30 ——— d—–w c:\documents and settings\All Users\Application Data\avg7
    2008-12-07 08:12 ——— d—–w c:\program files\Malwarebytes' Anti-Malware
    2008-12-06 10:15 ——— d—–w c:\documents and settings\Administrator\Application Data\LimeWire
    2008-12-03 18:52 38,496 —-a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-03 18:52 15,504 —-a-w c:\windows\system32\drivers\mbam.sys
    2008-11-03 17:40 ——— d—–w c:\program files\LimeWire
    2008-11-01 13:10 ——— d—–w c:\program files\Winamp
    2008-10-30 20:14 ——— d—–w c:\program files\7-Zip
    2008-10-24 11:25 455,936 —-a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-20 14:40 ——— d—–w c:\program files\UnderCoverXP
    2008-10-20 14:39 846,679 —-a-w c:\program files\undercoverxp.zip
    2008-10-17 12:17 ——— d—–w c:\program files\Rip Vinyl
    2008-10-17 12:16 ——— d—–w c:\program files\ripvinyl
    2008-10-16 13:13 202,776 —-a-w c:\windows\system32\wuweb.dll
    2008-10-16 13:13 1,809,944 —-a-w c:\windows\system32\wuaueng.dll
    2008-10-16 13:12 561,688 —-a-w c:\windows\system32\wuapi.dll
    2008-10-16 13:12 323,608 —-a-w c:\windows\system32\wucltui.dll
    2008-10-16 13:09 92,696 —-a-w c:\windows\system32\cdm.dll
    2008-10-16 13:09 51,224 —-a-w c:\windows\system32\wuauclt.exe
    2008-10-16 13:09 43,544 —-a-w c:\windows\system32\wups2.dll
    2008-10-16 13:08 34,328 —-a-w c:\windows\system32\wups.dll
    2008-10-16 13:06 268,648 —-a-w c:\windows\system32\mucltui.dll
    2008-10-16 13:06 208,744 —-a-w c:\windows\system32\muweb.dll
    2008-10-15 18:12 ——— d—–w c:\program files\FTDv3.8
    2008-10-15 18:11 2,416,301 —-a-w c:\program files\SetupFTD3.8.4.zip
    2008-10-12 16:48 2,459,395 —-a-w c:\program files\SetupFTD3.8.4.exe
    2008-09-30 15:43 1,286,152 —-a-w c:\windows\system32\msxml4.dll
    2008-09-15 15:17 1,847,040 —-a-w c:\windows\system32\win32k.sys
    2008-08-29 12:11 2,085,280 —-a-w c:\program files\mbam-setup.exe
    2007-09-03 10:08 2,320,867 —-a-w c:\program files\SetupFTD3.8.zip
    2004-03-11 11:27 40,960 —-a-w c:\program files\Uninstall_CDS.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-08 3513344]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 339968]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
    "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
    "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
    "PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
    "!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
    "SoundMan"="SOUNDMAN.EXE" [2002-12-31 c:\windows\SOUNDMAN.EXE]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-13 219136]

    c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\
    OpenOffice.org 2.4 .lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
    PrintScreen.lnk - c:\program files\Gadwin Systems\PrintScreen\UNWISE.EXE [2007-06-25 164864]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-06-24 98304]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-06-25 106560]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.l3acm"= l3codecp.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Radio Toolbox\\rtb.exe"=

    R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-06-25 58464]
    R2 fssfltr;FssFltr;c:\windows\system32\DRIVERS\fssfltr.sys [2008-10-06 56344]
    R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2007-06-24 14092]
    S3 fsssvc;Windows Live Family Safety;"c:\program files\Windows Live\Family Safety\fsssvc.exe" [2008-09-04 512536]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-12-04 27904]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\IPSUploader4.ocx
    O16 -: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}
    hxxp://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    c:\windows\Downloaded Program Files\IPSUploader4.inf

    c:\windows\Downloaded Program Files\NpFv415.dll - O16 -: {E55FD215-A32E-43FE-A777-A7E8F165F551}
    hxxp://www.flatcast-data.com/data/objects/NpFv415.dll

    c:\windows\Downloaded Program Files\NpFv501.dll - O16 -: {E55FD215-A32E-43FE-A777-A7E8F165F557}
    hxxp://data.myflatcast.com/data/objects/NpFv501.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-09 16:29:03
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    - - - - - - - > 'winlogon.exe'(708)
    c:\windows\system32\Ati2evxx.dll
    .
    Voltooingstijd: 2008-12-09 16:30:23
    ComboFix-quarantined-files.txt 2008-12-09 15:30:09
    ComboFix2.txt 2008-12-09 14:47:09

    Pre-Run: 21.196.083.200 bytes beschikbaar
    Post-Run: 21,195,071,488 bytes beschikbaar

    156 — E O F — 2008-11-12 21:50:23


    en hier de hijackthis log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:34:37, on 9-12-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.4 .lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast-data.com/data/objects/NpFv415.dll
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://data.myflatcast.com/data/objects/NpFv501.dll
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


    End of file - 9621 bytes



    grt klaas
  • [quote:909f012cbc="kloassie"]verder de map winupd is niet te vinden in de map system32[/quote:909f012cbc] Vreemd …. want in je Combofix-log zit ze wel degelijk. Hier dus : 2008-11-20 17:27 . 2008-11-28 08:42 147,517 –a—— c:\windows\system32\winupd. Maar goed … tijd voor de klassieke opruiming.

    Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u
    Dit zal Combofix verwijderen + gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en maakt een nieuw herstelpunt.

    Start CCleaner opnieuw. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

    Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen. Doe dit via Start -> Configuratiescherm -> Systeem -> Systeemherstel -> "Systeemherstel op alle stations uitschakelen" aanvinken. Toepassen en OK. PC herstarten en het vinkje terug weg halen.

    En dan weer even afwachten hoe de toestand nu evolueert. Alles lijkt - momenteel - weer in orde te zijn.
  • kan combofix niet verwijderen kan het bestand niet vinden staat er!!
  • [quote:4bcf8e498c="kloassie"]kan combofix niet verwijderen kan het bestand niet vinden staat er!![/quote:4bcf8e498c] Als het niet automatisch gaat, moet je deze map even manueel verwijderen met Windows Verkenner.
  • weer bedankt voor je hulp kape hier nog even een log van hijackthis,en nogmaals bedankt.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:40:43, on 9-12-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Registry Mechanic\RegMech.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 2.4 .lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Startup: PrintScreen.lnk = C:\Program Files\Gadwin Systems\PrintScreen\UNWISE.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader4.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast-data.com/data/objects/NpFv415.dll
    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F557} (Flatcast Viewer 5.0) - http://data.myflatcast.com/data/objects/NpFv501.dll
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


    End of file - 9699 bytes
  • Ziet er weer helemaal goed uit. Houden zo, nu :D
  • hahaha ja zal het proberen,misschien is de pc niet goed beveiligd ik weet het niet maar inieder geval nogmaals bedankt voor je hulp grt.
  • Beantwoord deze vraag

    Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.