Vraag & Antwoord

Beveiliging & privacy

Terugkerend adware WIN32:WEGIT-B en C

Anoniem
None
19 antwoorden
  • Avast ziet regelmatig Adware in C:\users\Ben\AppData\Local\Temp, tw
    in bestandjes met de naam Component Update GETAL. Eergisteren was het het GETAL 793 en was het win32:Wegit-B[adw]. Vanavond was het getal 144 met win32:Wegit-C[adw]. Hoe kom ik er aan en belangrijker hoe kom ik er af dat het telkens binnenkomt. Avast vindt het niet automatisch, maar pas wanneer ik die map laat scannen. Kan iemand me hiermee helpen? Alvast bedankt.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:51:41, on 25-3-2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\eDSMSNfix.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    D:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Users\Ben\AppData\Local\Temp\RtkBtMnt.exe
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\taskeng.exe
    D:\Program Files\Alwil Software\Avast4\ashChest.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Hijack this\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O4 - Global Startup: Empowering Technology Launcher.lnk = ?
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O20 - AppInit_DLLs: eNetHook.dll
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


    End of file - 7418 bytes
  • Download [b:b0cd13a4f2] en sla het op je bureaublad op.
    Dubbelklik op [b:b0cd13a4f2]mbam-setup.exe[/b:b0cd13a4f2] om het programma te installeren.

    Zorg dat er na de installatie een vinkje is geplaatst bij:[list:b0cd13a4f2]
    [*:b0cd13a4f2]Update MalwareBytes' Anti-Malware
    [*:b0cd13a4f2]Start MalwareBytes' Anti-Malware
    [/list:u:b0cd13a4f2]Klik daarna op "[b:b0cd13a4f2]Voltooien[/b:b0cd13a4f2]".
    Indien een update gevonden wordt, zal die gedownload en geïnstalleerd worden.[list:b0cd13a4f2]
    [*:b0cd13a4f2]Zodra het programma gestart is, ga dan naar het tabblad "[b:b0cd13a4f2]Instellingen[/b:b0cd13a4f2]".
    [*:b0cd13a4f2]Vink hier aan: "[b:b0cd13a4f2]Sluit Internet Explorer tijdens verwijdering van malware[/b:b0cd13a4f2]".
    [*:b0cd13a4f2]Ga daarna naar het tabblad "[b:b0cd13a4f2]Scanner[/b:b0cd13a4f2]", kies hier voor "[b:b0cd13a4f2]Snelle Scan[/b:b0cd13a4f2]".
    [*:b0cd13a4f2]Druk vervolgens op "[b:b0cd13a4f2]Scannen[/b:b0cd13a4f2]" om de scan te starten.
    [*:b0cd13a4f2]Het scannen kan een tijdje duren, dus wees geduldig.

    [*:b0cd13a4f2]Wanneer de scan voltooid is, klik op [b:b0cd13a4f2]OK[/b:b0cd13a4f2], daarna "[b:b0cd13a4f2]Bekijk Resultaten[/b:b0cd13a4f2]" om de resultaten te zien.
    [*:b0cd13a4f2]Zorg ervoor dat daar alles aangevinkt is, daarna klik op: "[b:b0cd13a4f2]Verwijder geselecteerde[/b:b0cd13a4f2]".
    [*:b0cd13a4f2]Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.
    [/list:u:b0cd13a4f2]Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de "[b:b0cd13a4f2]Logs[/b:b0cd13a4f2]" tab te klikken in het programma.

    Plaats dit logje
    Download [b:b0cd13a4f2] naar je Bureaublad en gebruik het volgens deze handleiding.
    [i:b0cd13a4f2]
  • Hartelijk dank voor uw reactie.
    Hierbij het logje van Malwarebytes. Combofix wil met geen mogelijkheid starten. Opnieuw gedownload met alle 6 diensten van avast uit, maar blijft bij opnieuw combofix opstarten de mededeling krijgen dat er een real avast actief is. Bij toch doorgaan gebeurt er verder niets. Wat moet ik doen om Combofix te laten functioneren.    Malwarebytes' Anti-Malware 1.35
    Database versie: 1911
    Windows 6.0.6001 Service Pack 1

    28-3-2009 16:47:48
    mbam-log-2009-03-28 (16-47-48).txt

    Scan type: Snelle Scan
    Objecten gescand: 59377
    Verstreken tijd: 4 minute(s), 4 second(s)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 0
    Registerwaarden geïnfecteerd: 0
    Registerdata bestanden geïnfecteerd: 0
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 0

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerdata bestanden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Mappen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:
    (Geen kwaadaardige items gevonden)
  • Terwijl ik bovenstaand bericht verstuurde, kwam combofix toch op gang, waarvan hieronder het logje. Het programma liep vrij lang.    ComboFix 09-03-27.02 - Ben 2009-03-28 17:30:11.1 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1043.18.1013.317 [GMT 1:00]
    Gestart vanuit: c:\users\Ben\Desktop\ComboFix.exe
    AV: avast! antivirus 4.8.1229 [VPS 081124-0] *On-access scanning enabled* (Updated)
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Mozilla Firefox\components\nsaddestination.dll
    c:\users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videos.url
    c:\users\Ben\FAVORI~1\Videos.url
    c:\users\Ben\Favorites\Videos.url
    c:\windows\system32\cont_addestination-remove.exe
    c:\windows\system32\x64

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2009-02-28 to 2009-03-28 ))))))))))))))))))))))))))))))
    .

    2009-03-26 18:47 . 2009-03-26 18:47 280 –a—— c:\windows\System32\PDBootState
    2009-03-26 16:53 . 2009-03-26 16:53 <DIR> d——– c:\users\All Users\Raxco
    2009-03-26 16:53 . 2009-03-26 16:53 <DIR> d——– c:\programdata\Raxco
    2009-03-25 22:47 . 2009-03-27 07:50 <DIR> d——– C:\Hijack this
    2009-03-25 22:24 . 2009-03-25 22:24 <DIR> d——– c:\program files\QuickTide_files
    2009-03-25 22:24 . 2009-03-25 22:24 <DIR> d——– c:\program files\data
    2009-03-24 19:57 . 2009-03-24 19:57 <DIR> d——– c:\users\Ben\AppData\Roaming\uniblue
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\users\All Users\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\program files\iTunes
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\program files\iPod
    2009-03-24 18:56 . 2008-04-17 12:12 107,368 –a—— c:\windows\System32\GEARAspi.dll
    2009-03-24 18:56 . 2009-01-15 12:19 23,848 –a—— c:\windows\System32\drivers\GEARAspiWDM.sys
    2009-03-24 18:54 . 2009-03-24 18:54 <DIR> d——– c:\program files\Bonjour
    2009-03-24 18:53 . 2009-03-24 18:54 <DIR> d——– c:\program files\QuickTime
    2009-03-19 19:56 . 2009-03-19 19:56 1,001,472 –a—— c:\program files\QuickTide.exe
    2009-03-13 23:59 . 2009-03-13 23:58 64,160 –a—— c:\windows\System32\drivers\Lbd.sys
    2009-03-11 10:28 . 2008-12-16 04:29 8,147,456 –a—— c:\windows\System32\wmploc.DLL
    2009-03-11 10:28 . 2009-02-09 04:10 2,033,152 –a—— c:\windows\System32\win32k.sys
    2009-03-11 10:28 . 2008-12-16 06:31 7,680 –a—— c:\windows\System32\spwmp.dll
    2009-03-11 10:28 . 2008-12-16 06:31 4,096 –a—— c:\windows\System32\msdxm.ocx
    2009-03-11 10:28 . 2008-12-16 06:31 4,096 –a—— c:\windows\System32\dxmasf.dll
    2009-03-11 10:27 . 2008-11-27 05:43 268,288 –a—— c:\windows\System32\schannel.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-28 15:24 ——— d—–w c:\programdata\Google Updater
    2009-03-27 10:25 ——— d—–w c:\users\Ben\AppData\Roaming\gtk-2.0
    2009-03-27 07:08 ——— d—–w c:\programdata\Spybot - Search & Destroy
    2009-03-26 15:49 38,496 —-a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-26 15:49 15,504 —-a-w c:\windows\system32\drivers\mbam.sys
    2009-03-25 21:24 1,707 —-a-w c:\program files\Uninstall.lnk
    2009-03-25 17:10 ——— d—–w c:\users\Ben\AppData\Roaming\LimeWire
    2009-03-25 13:44 ——— d—–w c:\users\Ben\AppData\Roaming\Belastingdienst
    2009-03-25 01:00 ——— d—–w c:\program files\Java
    2009-03-24 17:56 ——— d—–w c:\programdata\Apple Computer
    2009-03-24 17:56 ——— d—–w c:\program files\Common Files\Apple
    2009-03-20 07:09 ——— d—–w c:\users\Ben\AppData\Roaming\OpenOffice.org
    2009-03-13 22:58 15,688 —-a-w c:\windows\System32\lsdelete.exe
    2009-03-13 19:56 ——— d—–w c:\program files\Google
    2009-03-12 09:07 ——— d—–w c:\program files\Windows Mail
    2009-03-09 08:57 53,134 —-a-w c:\program files\QuickTide.htm
    2009-03-09 04:19 410,984 —-a-w c:\windows\System32\deploytk.dll
    2009-03-02 10:51 1,417 —-a-w c:\program files\QuickTide.txt
    2009-02-27 19:49 ——— d—–w c:\program files\Microsoft Silverlight
    2009-02-23 14:59 231,176 —-a-w c:\windows\System32\PDBoot.exe
    2009-02-23 14:33 ——— d—–w c:\program files\Belastingdienst
    2009-02-11 09:49 ——— d—–w c:\programdata\MyPoiWorld
    2009-02-05 21:06 51,792 —-a-w c:\windows\system32\drivers\aswMonFlt.sys
    2009-01-15 06:11 827,392 —-a-w c:\windows\System32\wininet.dll
    2008-04-24 22:06 174 –sha-w c:\program files\desktop.ini
    2007-06-13 09:25 0 —-a-w c:\users\Ben\AppData\Roaming\wklnhst.dat
    2008-03-19 23:08 16,384 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-03-19 23:08 32,768 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-03-19 23:08 16,384 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-14 68856]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-06 464168]
    "eDSMSNfix"="c:\acer\Empowering Technology\eDSMSNfix.exe" [2007-02-08 13312]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-09 614400]
    "avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-13 515416]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 c:\windows\RtHDVCpl.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=eNetHook.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\[u:45fe1cc661]0[/u:45fe1cc661]autocheck autochk *\[u:45fe1cc661]0[/u:45fe1cc661]lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Ben^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4 .lnk]
    path=c:\users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4 .lnk
    backup=c:\windows\pss\OpenOffice.org 2.4 .lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    –a—— 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    –a—— 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    –a—— 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    –a—— 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    –a—— 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "IgfxTray"=c:\windows\system32\igfxtray.exe
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "WarReg_PopUp"=c:\acer\WR_PopUp\WarReg_PopUp.exe
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "Persistence"=c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UacDisableNotify"=dword:00000001
    "InternetSettingsDisableNotify"=dword:00000001
    "AutoUpdateDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{2AB76D8F-D1C7-4BC7-B8A8-37B9887713A0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
    "{FC19A6ED-E5D2-464C-ADE1-B7BD65DECF0C}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
    "{ADAD1361-4419-4AD0-BDAB-B6733D4FC132}"= c:\program files\Acer Arcade Deluxe\VideoMagician\MagicDirector.exe:CyberLink MagicDirector
    "{56496D2E-886C-4D01-BEBC-4D602A5B037F}"= c:\program files\Acer Arcade Deluxe\DV Wizard\PowerDV.exe:CyberLink PowerDV
    "TCP Query User{258B81BD-8CE4-4BC8-AB8B-E2E0ED4B9AEB}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
    "UDP Query User{2CD960AF-8837-4F76-A95B-E29CEE4F8598}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
    "TCP Query User{34A76EE9-EE7A-4D7E-9034-368F5FB4BCB9}d:\\program files\\real\\realplayer\\realplay.exe"= UDP:d:\program files\real\realplayer\realplay.exe:RealPlayer
    "UDP Query User{499A2F9E-C2FC-46B7-A071-A47DB158DD5C}d:\\program files\\real\\realplayer\\realplay.exe"= TCP:d:\program files\real\realplayer\realplay.exe:RealPlayer
    "{D80CCC39-A670-498B-B295-DA318BFCF60A}"= UDP:d:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
    "{79111B7D-17FA-43CA-9E56-6C7B90A7A488}"= TCP:d:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
    "{6B319AC1-F8E9-422D-AB3B-1C5471BB2241}"= UDP:d:\program files\12Voip.com\12Voip\12Voip.exe:12Voip
    "{BE307095-27CB-41C0-B724-88BD56DA985F}"= TCP:d:\program files\12Voip.com\12Voip\12Voip.exe:12Voip
    "TCP Query User{4B8CA424-D55B-4174-BEEC-76F382545928}c:\\users\\ben\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:c:\users\ben\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
    "UDP Query User{9BB80545-8F83-4089-8849-093A1BD02D1E}c:\\users\\ben\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:c:\users\ben\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
    "TCP Query User{C3FF6A0D-9B55-4B76-928C-6B21841C8118}d:\\program files\\ares\\ares.exe"= Disabled:UDP:d:\program files\ares\ares.exe:Ares
    "UDP Query User{1917A442-2D41-4FD1-AE84-A0B6D48CE9DA}d:\\program files\\ares\\ares.exe"= Disabled:TCP:d:\program files\ares\ares.exe:Ares
    "TCP Query User{D9D9E4FA-BB90-487B-B666-B01800775F21}c:\\program files\\utorrent\\utorrent.exe"= Disabled:UDP:c:\program files\utorrent\utorrent.exe:uTorrent
    "UDP Query User{81EF3DC7-E08F-40C8-BEF5-8EAB1A06E114}c:\\program files\\utorrent\\utorrent.exe"= Disabled:TCP:c:\program files\utorrent\utorrent.exe:uTorrent
    "TCP Query User{DB504764-8418-4B9B-97D5-30959EFC3C27}c:\\program files\\itunes\\itunes.exe"= Disabled:UDP:c:\program files\itunes\itunes.exe:iTunes
    "UDP Query User{7902B1D4-96DC-4407-9D33-D3CE951E1445}c:\\program files\\itunes\\itunes.exe"= Disabled:TCP:c:\program files\itunes\itunes.exe:iTunes
    "{68131F8D-195D-4B2C-A997-EECBD7B2ADCA}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{09805B43-E72F-478B-97FF-6B8D2A12390E}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "TCP Query User{B89190B6-F5AB-4494-A8BE-DB4CCDE57640}d:\\program files\\voipbuster.com\\voipbuster\\voipbuster.exe"= UDP:d:\program files\voipbuster.com\voipbuster\voipbuster.exe:Client to make VoIP calls.
    "UDP Query User{FEB76C32-C080-4A6C-B2A9-751C10ADFC95}d:\\program files\\voipbuster.com\\voipbuster\\voipbuster.exe"= TCP:d:\program files\voipbuster.com\voipbuster\voipbuster.exe:Client to make VoIP calls.
    "TCP Query User{63CCBDE9-FE0E-49A6-8840-966BF34B1627}d:\\program files\\limewire\\limewire.exe"= UDP:d:\program files\limewire\limewire.exe:LimeWire
    "UDP Query User{23BDAA24-8D72-4222-B9D6-1BEE012DD29F}d:\\program files\\limewire\\limewire.exe"= TCP:d:\program files\limewire\limewire.exe:LimeWire
    "{945DA298-B701-43A4-BC72-ECE8CDD6140D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{D246604F-0633-406D-A295-F1E2B7B18981}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{AFA6159F-311B-4C8B-B562-00512B095B7B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
    "{7E79F869-3395-4D57-8A0C-ECB44A7BF420}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "DoNotAllowExceptions"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

    R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-13 64160]
    R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-05-27 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-05-27 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-05-27 51792]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
    R2 SBSDWSCService;SBSD Security Center Service;d:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-02-14 1153368]
    S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2007-08-13 80744]
    S4 J;J;c:\users\Ben\AppData\Local\Temp\J.exe –> c:\users\Ben\AppData\Local\Temp\J.exe [?]
    S4 LA;LA;c:\users\Ben\AppData\Local\Temp\LA.exe –> c:\users\Ben\AppData\Local\Temp\LA.exe [?]
    S4 OFXLBSW;OFXLBSW;c:\users\Ben\AppData\Local\Temp\OFXLBSW.exe –> c:\users\Ben\AppData\Local\Temp\OFXLBSW.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a904703b-ee90-11dc-a4e9-0016d4d448b1}]
    \shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL J:\m.exe /s
    .
    Inhoud van de 'Gedeelde Taken' map

    2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-13 23:56]

    2009-03-28 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 10:08]
    .
    - - - - ORPHANS VERWIJDERD - - - -

    HKCU-Run-Acer Tour Reminder - (no file)


    .
    ——- Bijkomende Scan ——-
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.startpagina.nl/
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: postbank.nl
    FF - ProfilePath - c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\zdy8hdo8.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.startpagina.nl/
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
    FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-28 17:48:17
    Windows 6.0.6001 Service Pack 1 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …


    c:\windows\TEMP\TMP0000006EA0A650A33952766F 524288 bytes executable

    Scan succesvol afgerond
    verborgen bestanden: 1

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    - - - - - - - > 'winlogon.exe'(772)
    c:\windows\system32\eNetHook.dll

    - - - - - - - > 'lsass.exe'(684)
    c:\windows\system32\eNetHook.dll
    .
    Voltooingstijd: 2009-03-28 17:51:10
    ComboFix-quarantined-files.txt 2009-03-28 16:50:51

    Pre-Run: 12.631.404.544 bytes beschikbaar
    Post-Run: 12,393,762,816 bytes beschikbaar

    236 — E O F — 2009-03-26 15:29:49
  • Download ATF cleaner (mirror)(gemaakt door Atribune)

    Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

    Dubbelklik op

    ATF cleaner om het programma te starten.
    Op het tabblad Main, plaats je een vinkje bij Select All.
    Klik op de knop Empty Selected.

    Het volgende doen als je ook FireFox als browser hebt:

    Klik op tabblad Firefox, plaats een vinkje bij Select All.
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    (dit haalt het vinkje weer weg bij Firefox saved passwords)
    Klik op de knop Empty Selected.

    Het volgende doen als je ook Opera als browser hebt:

    Klik op tabblad Opera, plaats een vinkje bij Select All.
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    Klik op de knop Empty Selected.
    Ga naar het tabblad Main en klik op de knop Exit om het programma af te sluiten.    Download Flash_Disinfector.exe en plaats hem op je bureaublad: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
    Zorg dat de flasdrives / usbsticks / externe harde schijven ook ingestoken zijn.
    Dubbelklik op Flash_Disinfector.exe om de tool te starten.
    Als de tool klaar is, zal de computer opnieuw starten.    Open een kladblokbestand.
    Kopieer de onderstaande code, en plak deze in het kladblokbestand.

  • ATF gedraaid.
    Flash_Disinfector.exe gestart na MP3 speler aangesloten te hebben. Lijkt niets te doen, PC start in ieder geval niet opnieuw op.
    Hieronder logje van Combofix.
    ComboFix 09-03-27.02 - Ben 2009-03-28 19:13:41.2 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1043.18.1013.346 [GMT 1:00]
    Gestart vanuit: c:\users\Ben\Desktop\ComboFix.exe
    gebruikte Opdracht switches :: c:\users\Ben\Desktop\CFScript.txt
    AV: avast! antivirus 4.8.1229 [VPS 081124-0] *On-access scanning enabled* (Updated)
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    F:\autorun.inf

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2009-02-28 to 2009-03-28 ))))))))))))))))))))))))))))))
    .

    2009-03-26 18:47 . 2009-03-26 18:47 280 –a—— c:\windows\System32\PDBootState
    2009-03-26 16:53 . 2009-03-26 16:53 <DIR> d——– c:\users\All Users\Raxco
    2009-03-26 16:53 . 2009-03-26 16:53 <DIR> d——– c:\programdata\Raxco
    2009-03-25 22:47 . 2009-03-27 07:50 <DIR> d——– C:\Hijack this
    2009-03-25 22:24 . 2009-03-25 22:24 <DIR> d——– c:\program files\QuickTide_files
    2009-03-25 22:24 . 2009-03-25 22:24 <DIR> d——– c:\program files\data
    2009-03-24 19:57 . 2009-03-24 19:57 <DIR> d——– c:\users\Ben\AppData\Roaming\uniblue
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\users\All Users\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\program files\iTunes
    2009-03-24 18:56 . 2009-03-24 18:56 <DIR> d——– c:\program files\iPod
    2009-03-24 18:56 . 2008-04-17 12:12 107,368 –a—— c:\windows\System32\GEARAspi.dll
    2009-03-24 18:56 . 2009-01-15 12:19 23,848 –a—— c:\windows\System32\drivers\GEARAspiWDM.sys
    2009-03-24 18:54 . 2009-03-24 18:54 <DIR> d——– c:\program files\Bonjour
    2009-03-24 18:53 . 2009-03-24 18:54 <DIR> d——– c:\program files\QuickTime
    2009-03-19 19:56 . 2009-03-19 19:56 1,001,472 –a—— c:\program files\QuickTide.exe
    2009-03-13 23:59 . 2009-03-13 23:58 64,160 –a—— c:\windows\System32\drivers\Lbd.sys
    2009-03-11 10:28 . 2008-12-16 04:29 8,147,456 –a—— c:\windows\System32\wmploc.DLL
    2009-03-11 10:28 . 2009-02-09 04:10 2,033,152 –a—— c:\windows\System32\win32k.sys
    2009-03-11 10:28 . 2008-12-16 06:31 7,680 –a—— c:\windows\System32\spwmp.dll
    2009-03-11 10:28 . 2008-12-16 06:31 4,096 –a—— c:\windows\System32\msdxm.ocx
    2009-03-11 10:28 . 2008-12-16 06:31 4,096 –a—— c:\windows\System32\dxmasf.dll
    2009-03-11 10:27 . 2008-11-27 05:43 268,288 –a—— c:\windows\System32\schannel.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-28 15:24 ——— d—–w c:\programdata\Google Updater
    2009-03-27 10:25 ——— d—–w c:\users\Ben\AppData\Roaming\gtk-2.0
    2009-03-27 07:08 ——— d—–w c:\programdata\Spybot - Search & Destroy
    2009-03-26 15:49 38,496 —-a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-26 15:49 15,504 —-a-w c:\windows\system32\drivers\mbam.sys
    2009-03-25 21:24 1,707 —-a-w c:\program files\Uninstall.lnk
    2009-03-25 17:10 ——— d—–w c:\users\Ben\AppData\Roaming\LimeWire
    2009-03-25 13:44 ——— d—–w c:\users\Ben\AppData\Roaming\Belastingdienst
    2009-03-25 01:00 ——— d—–w c:\program files\Java
    2009-03-24 17:56 ——— d—–w c:\programdata\Apple Computer
    2009-03-24 17:56 ——— d—–w c:\program files\Common Files\Apple
    2009-03-20 07:09 ——— d—–w c:\users\Ben\AppData\Roaming\OpenOffice.org
    2009-03-13 22:58 15,688 —-a-w c:\windows\System32\lsdelete.exe
    2009-03-13 19:56 ——— d—–w c:\program files\Google
    2009-03-12 09:07 ——— d—–w c:\program files\Windows Mail
    2009-03-09 08:57 53,134 —-a-w c:\program files\QuickTide.htm
    2009-03-09 04:19 410,984 —-a-w c:\windows\System32\deploytk.dll
    2009-03-02 10:51 1,417 —-a-w c:\program files\QuickTide.txt
    2009-02-27 19:49 ——— d—–w c:\program files\Microsoft Silverlight
    2009-02-23 14:59 231,176 —-a-w c:\windows\System32\PDBoot.exe
    2009-02-23 14:33 ——— d—–w c:\program files\Belastingdienst
    2009-02-11 09:49 ——— d—–w c:\programdata\MyPoiWorld
    2009-02-05 21:06 51,792 —-a-w c:\windows\system32\drivers\aswMonFlt.sys
    2009-01-15 06:11 827,392 —-a-w c:\windows\System32\wininet.dll
    2008-04-24 22:06 174 –sha-w c:\program files\desktop.ini
    2007-06-13 09:25 0 —-a-w c:\users\Ben\AppData\Roaming\wklnhst.dat
    2008-03-19 23:08 16,384 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    2008-03-19 23:08 32,768 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    2008-03-19 23:08 16,384 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-03-28_17.48.57,82 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-03-28 16:11:58 2,048 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-03-28 17:10:23 2,048 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-03-28 16:11:58 2,048 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2009-03-28 17:10:23 2,048 –sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2009-03-28 16:14:08 1,572,864 —-a-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
    + 2009-03-28 17:13:00 1,572,864 —-a-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
    - 2009-03-28 16:14:14 1,347,584 —-a-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
    + 2009-03-28 17:12:54 1,347,584 —-a-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
    - 2009-03-28 16:27:26 16,384 –sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-03-28 17:11:59 16,384 –sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-03-28 16:27:26 32,768 –sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-03-28 17:11:59 32,768 –sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-03-28 16:27:26 16,384 –sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-03-28 17:11:59 16,384 –sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-03-28 16:03:06 101,250 —-a-w c:\windows\System32\perfc009.dat
    + 2009-03-28 17:53:10 101,250 —-a-w c:\windows\System32\perfc009.dat
    - 2009-03-28 16:03:06 126,854 —-a-w c:\windows\System32\perfc013.dat
    + 2009-03-28 17:53:10 126,854 —-a-w c:\windows\System32\perfc013.dat
    - 2009-03-28 16:03:06 587,178 —-a-w c:\windows\System32\perfh009.dat
    + 2009-03-28 17:53:10 587,178 —-a-w c:\windows\System32\perfh009.dat
    - 2009-03-28 16:03:06 667,352 —-a-w c:\windows\System32\perfh013.dat
    + 2009-03-28 17:53:10 667,352 —-a-w c:\windows\System32\perfh013.dat
    - 2009-03-28 16:14:03 12,740 —-a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2255622846-3536518166-2921446557-1000_UserData.bin
    + 2009-03-28 17:12:58 12,740 —-a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2255622846-3536518166-2921446557-1000_UserData.bin
    - 2009-03-28 16:14:02 96,434 —-a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-03-28 17:12:58 96,520 —-a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-03-28 17:08:58 3,000 —-a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
    - 2009-03-28 16:13:53 72,798 —-a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-03-28 17:12:51 72,822 —-a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-14 68856]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-06 464168]
    "eDSMSNfix"="c:\acer\Empowering Technology\eDSMSNfix.exe" [2007-02-08 13312]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-09 614400]
    "avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-13 515416]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 c:\windows\RtHDVCpl.exe]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=eNetHook.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ PDBoot.exe\[u:47152dc906]0[/u:47152dc906]autocheck autochk *\[u:47152dc906]0[/u:47152dc906]lsdelete

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Ben^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4 .lnk]
    path=c:\users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4 .lnk
    backup=c:\windows\pss\OpenOffice.org 2.4 .lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    –a—— 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    –a—— 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    –a—— 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    –a—— 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    –a—— 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "IgfxTray"=c:\windows\system32\igfxtray.exe
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "WarReg_PopUp"=c:\acer\WR_PopUp\WarReg_PopUp.exe
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "Persistence"=c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UacDisableNotify"=dword:00000001
    "InternetSettingsDisableNotify"=dword:00000001
    "AutoUpdateDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{2AB76D8F-D1C7-4BC7-B8A8-37B9887713A0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
    "{FC19A6ED-E5D2-464C-ADE1-B7BD65DECF0C}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
    "{ADAD1361-4419-4AD0-BDAB-B6733D4FC132}"= c:\program files\Acer Arcade Deluxe\VideoMagician\MagicDirector.exe:CyberLink MagicDirector
    "{56496D2E-886C-4D01-BEBC-4D602A5B037F}"= c:\program files\Acer Arcade Deluxe\DV Wizard\PowerDV.exe:CyberLink PowerDV
    "TCP Query User{258B81BD-8CE4-4BC8-AB8B-E2E0ED4B9AEB}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
    "UDP Query User{2CD960AF-8837-4F76-A95B-E29CEE4F8598}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
    "TCP Query User{34A76EE9-EE7A-4D7E-9034-368F5FB4BCB9}d:\\program files\\real\\realplayer\\realplay.exe"= UDP:d:\program files\real\realplayer\realplay.exe:RealPlayer
    "UDP Query User{499A2F9E-C2FC-46B7-A071-A47DB158DD5C}d:\\program files\\real\\realplayer\\realplay.exe"= TCP:d:\program files\real\realplayer\realplay.exe:RealPlayer
    "{D80CCC39-A670-498B-B295-DA318BFCF60A}"= UDP:d:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
    "{79111B7D-17FA-43CA-9E56-6C7B90A7A488}"= TCP:d:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
    "{6B319AC1-F8E9-422D-AB3B-1C5471BB2241}"= UDP:d:\program files\12Voip.com\12Voip\12Voip.exe:12Voip
    "{BE307095-27CB-41C0-B724-88BD56DA985F}"= TCP:d:\program files\12Voip.com\12Voip\12Voip.exe:12Voip
    "TCP Query User{4B8CA424-D55B-4174-BEEC-76F382545928}c:\\users\\ben\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= UDP:c:\users\ben\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
    "UDP Query User{9BB80545-8F83-4089-8849-093A1BD02D1E}c:\\users\\ben\\appdata\\local\\temp\\wzse0.tmp\\symnrt.exe"= TCP:c:\users\ben\appdata\local\temp\wzse0.tmp\symnrt.exe:symnrt.exe
    "TCP Query User{C3FF6A0D-9B55-4B76-928C-6B21841C8118}d:\\program files\\ares\\ares.exe"= Disabled:UDP:d:\program files\ares\ares.exe:Ares
    "UDP Query User{1917A442-2D41-4FD1-AE84-A0B6D48CE9DA}d:\\program files\\ares\\ares.exe"= Disabled:TCP:d:\program files\ares\ares.exe:Ares
    "TCP Query User{D9D9E4FA-BB90-487B-B666-B01800775F21}c:\\program files\\utorrent\\utorrent.exe"= Disabled:UDP:c:\program files\utorrent\utorrent.exe:uTorrent
    "UDP Query User{81EF3DC7-E08F-40C8-BEF5-8EAB1A06E114}c:\\program files\\utorrent\\utorrent.exe"= Disabled:TCP:c:\program files\utorrent\utorrent.exe:uTorrent
    "TCP Query User{DB504764-8418-4B9B-97D5-30959EFC3C27}c:\\program files\\itunes\\itunes.exe"= Disabled:UDP:c:\program files\itunes\itunes.exe:iTunes
    "UDP Query User{7902B1D4-96DC-4407-9D33-D3CE951E1445}c:\\program files\\itunes\\itunes.exe"= Disabled:TCP:c:\program files\itunes\itunes.exe:iTunes
    "{68131F8D-195D-4B2C-A997-EECBD7B2ADCA}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "{09805B43-E72F-478B-97FF-6B8D2A12390E}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
    "TCP Query User{B89190B6-F5AB-4494-A8BE-DB4CCDE57640}d:\\program files\\voipbuster.com\\voipbuster\\voipbuster.exe"= UDP:d:\program files\voipbuster.com\voipbuster\voipbuster.exe:Client to make VoIP calls.
    "UDP Query User{FEB76C32-C080-4A6C-B2A9-751C10ADFC95}d:\\program files\\voipbuster.com\\voipbuster\\voipbuster.exe"= TCP:d:\program files\voipbuster.com\voipbuster\voipbuster.exe:Client to make VoIP calls.
    "TCP Query User{63CCBDE9-FE0E-49A6-8840-966BF34B1627}d:\\program files\\limewire\\limewire.exe"= UDP:d:\program files\limewire\limewire.exe:LimeWire
    "UDP Query User{23BDAA24-8D72-4222-B9D6-1BEE012DD29F}d:\\program files\\limewire\\limewire.exe"= TCP:d:\program files\limewire\limewire.exe:LimeWire
    "{945DA298-B701-43A4-BC72-ECE8CDD6140D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{D246604F-0633-406D-A295-F1E2B7B18981}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
    "{AFA6159F-311B-4C8B-B562-00512B095B7B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
    "{7E79F869-3395-4D57-8A0C-ECB44A7BF420}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "DoNotAllowExceptions"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
    "c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

    R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-13 64160]
    R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-05-27 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-05-27 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-05-27 51792]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
    R2 SBSDWSCService;SBSD Security Center Service;d:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-02-14 1153368]
    S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2007-08-13 80744]
    S4 J;J;c:\users\Ben\AppData\Local\Temp\J.exe –> c:\users\Ben\AppData\Local\Temp\J.exe [?]
    S4 LA;LA;c:\users\Ben\AppData\Local\Temp\LA.exe –> c:\users\Ben\AppData\Local\Temp\LA.exe [?]
    S4 OFXLBSW;OFXLBSW;c:\users\Ben\AppData\Local\Temp\OFXLBSW.exe –> c:\users\Ben\AppData\Local\Temp\OFXLBSW.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Inhoud van de 'Gedeelde Taken' map

    2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-13 23:56]

    2009-03-28 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 10:08]
    .
    .
    ——- Bijkomende Scan ——-
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uStart Page = hxxp://www.startpagina.nl/
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: postbank.nl
    FF - ProfilePath - c:\users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\zdy8hdo8.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.startpagina.nl/
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
    FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-28 19:31:30
    Windows 6.0.6001 Service Pack 1 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2009-03-28 19:34:19
    ComboFix-quarantined-files.txt 2009-03-28 18:34:01
    ComboFix2.txt 2009-03-28 16:51:12

    Pre-Run: 12.352.274.432 bytes beschikbaar
    Post-Run: 12,106,539,008 bytes beschikbaar

    254 — E O F — 2009-03-26 15:29:49
  • Ik kom in Programma's en onderdelen het volgende tegen: 'RON Tool Adestination'. Als ik die software wil verwijderen komt er een code in beeld die ik moet invoeren. Heb dat maar even niet gedaan, maar wat is dit?

    Overigens start de PC ook niet in de veilige modus. Het blijft steken in een zwart scherm met in elke hoek de tekst 'veilige modus'zonder pictogrammen. Ik moet via taakbeheer het commando 'explorer.exe' invoeren om de pictogrammen wel te kunnen zien en volledig veilige modus te krijgen.
  • Zijn er buiten de veilige modus nog problemen?
  • Nadat ik gisterenavond in de veilige modus het bureaublad kreeg middels commando explorer.exe in taakbeheer, draaide Flash_Disinfector wel in de veilige modus. Gaf aan dat die had gewerkt, maar startte de PC niet automatisch opnieuw. Zojuist zonder problemen in veilige modus opgestart.
    Verder heeft de PC geen kuren.
  • De pc hoeft ook niet altijd opnieuw op te starten.

    Mooi zo, dan kan je dit topic als opgelost beschouwen.

    Doe nog even dit:


    Download ATF cleaner (mirror)(gemaakt door Atribune)

    Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

    Dubbelklik op

    ATF cleaner om het programma te starten.
    Op het tabblad Main, plaats je een vinkje bij Select All.
    Klik op de knop Empty Selected.

    Het volgende doen als je ook FireFox als browser hebt:

    Klik op tabblad Firefox, plaats een vinkje bij Select All.
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    (dit haalt het vinkje weer weg bij Firefox saved passwords)
    Klik op de knop Empty Selected.

    Het volgende doen als je ook Opera als browser hebt:

    Klik op tabblad Opera, plaats een vinkje bij Select All.
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    Klik op de knop Empty Selected.
    Ga naar het tabblad Main en klik op de knop Exit om het programma af te sluiten.3. Je mag alle gebruikte tools en aangemaakte mappen terug verwijderen.(Denk eraan Combofix verwijderen doormiddel van start->uitvoeren [b:8bc416a2e9]ComboFix /U[/b:8bc416a2e9] typen en op enter drukken!!)


    - Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".
    - Zet een vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Windows vraagt of je dat zeker weet.
    - Klik "Ja".
    - Klik "OK".
    - Start de pc opnieuw op.
    - Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"
    - Klik "Ja".
    - Verwijder het vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Klik "OK".
    - Start de pc opnieuw op
    - Er is nu een nieuw schoon herstel punt aangemaakt
  • In windows\systeem32 kom ik azikzbeuvhtgra.exe als uninstallstrring tegen in het register, waar ook die RON Tool Addestination vermeld wordt. T.w. in sleutel HKEY_local_machine\software\microsoft\windows\currentversion\uninstall.
    Kan dit echt geen kwaad?
  • Download en bewaar SDFix
    op je bureaublad.
    Dubbelklik op [b:ebda50a3d8]SDFix.exe[/b:ebda50a3d8] en kies voor [b:ebda50a3d8]Install[/b:ebda50a3d8] om het tooltje uit te pakken in een eigen map op je bureaublad.

    Start de computer opnieuw op, maar dan in veilige modus.

    [list:ebda50a3d8][*:ebda50a3d8] In veilige modus, open de SDFix map op je bureaublad en dubbelklik op [b:ebda50a3d8]RunThis.bat[/b:ebda50a3d8] om het tooltje te starten.
    [*:ebda50a3d8] Typ [b:ebda50a3d8]Y[/b:ebda50a3d8] om het clean proces te starten.
    [*:ebda50a3d8] het verwijdert alle Trojan Services of Registry Entries die met deze infectie te maken hebben, als het tooltje klaar is zal het jou vertellen om eender welke toets te drukken om je pc te herstarten, doe dit ook.
    [*:ebda50a3d8] Wanneer de pc herstart zal het tooltje opnieuw runnen en het opruimproces beëindigen en je de melding [b:ebda50a3d8]Finished[/b:ebda50a3d8] tonen, druk dan op eender welke toets om het scriptje te beëindigen en je bureaublad zullen tevoorschijn komen.
    [*:ebda50a3d8] Wanneer je bureaublad icoontjes verschijnen zal het rapportje van SDFix openen en ook in de map bewaren onder de naam [b:ebda50a3d8]Report.txt[/b:ebda50a3d8].[/list:u:ebda50a3d8]


    Post dit logje in je volgende bericht.


    Maak ook een nieuw HijackThis logje.
  • SDfix start in veilige modus niet. Zie alleen even een scherm opflitsen en is weer weg.
  • Hoewel SDFix niet gewerkt heeft hierbij het HJlogje

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:16:05, on 29-3-2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\eDSMSNfix.exe
    C:\Program Files\Launch Manager\LManager.exe
    D:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    D:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Users\Ben\AppData\Local\Temp\RtkBtMnt.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\conime.exe
    C:\Hijack this\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/nl-nl/wlscctrl2.cab
    O20 - AppInit_DLLs: eNetHook.dll
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


    End of file - 6525 bytes
  • En wat lukt er precies niet?
  • SDFix komt in veilige modus niet met de keuze 'Y' om het proces te starten. Er flitst slechts een scherm voorbij zonder dat je kunt zien wat erop staat.
  • Verwijder het.

    Download het opnieuw en geef het bestand RunThis.bat een andere naam.

    Bijv. Verwijderen.bat
  • Gedaan, helaas met zelfde resultaat.
  • Werk SDFix mogelijk niet op windows VISTA?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.