Vraag & Antwoord

Beveiliging & privacy

Problemen met verschillende W32 typen virussen.

Anoniem
None
30 antwoorden
  • Hij doet het nu…………….?????????
  • Heren, heren … give peace a chance :D

    De nieuwe OTimer-link is : http://oldtimer.geekstogo.com/OTM.exe
  • Othuroyo: ik heb de opgegeven lijst afgewerkt en hier is het resultaat:

    ComboFix 09-06-13.09 - Minda1 14-Jun-09 20:04.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.66 [GMT 2:00]
    Running from: e:\documents and settings\Minda1\Desktop\ComboFix.exe
    AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Updated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}
    FW: Sunbelt Kerio Personal Firewall *enabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\desktop.ini
    e:\recycler\S-1-5-21-9091834803-4110907043-225406547-1022\winmap32.exe
    e:\winnt\Web\default.htt

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ——-\Legacy_BNDMSS
    ——-\Service_BNDMSS
    ——-\Service_IAS


    ((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
    .

    2009-06-14 14:07 . 2009-06-14 14:07 ——– d—–w- e:\program files\Codemasters
    2009-06-14 04:42 . 2009-06-14 04:42 ——– d—–w- e:\program files\GameSpy Arcade
    2009-06-13 09:22 . 2009-06-13 09:27 ——– d—–w- e:\program files\GV_Killer
    2009-06-13 05:06 . 2009-06-13 05:06 ——– d—–w- e:\documents and settings\Minda1\Local Settings\Application Data\Downloaded Installations
    2009-06-13 04:08 . 2009-06-13 04:08 ——– d-sha-w- E:\!Submit
    2009-06-12 17:45 . 2009-06-12 17:45 ——– d–h–w- e:\winnt\PIF
    2009-06-11 20:11 . 2009-06-11 20:11 ——– d—–w- e:\program files\Trend Micro
    2009-06-11 19:32 . 2009-06-11 19:32 ——– d—–w- e:\documents and settings\Minda1\Application Data\Malwarebytes
    2009-06-11 19:32 . 2009-05-26 11:20 40160 —-a-w- e:\winnt\system32\drivers\mbamswissarmy.sys
    2009-06-11 19:32 . 2009-06-11 19:32 ——– d—–w- e:\documents and settings\All Users\Application Data\Malwarebytes
    2009-06-11 19:32 . 2009-05-26 11:19 19096 —-a-w- e:\winnt\system32\drivers\mbam.sys
    2009-06-11 19:32 . 2009-06-13 17:57 ——– d—–w- e:\program files\Malwarebytes' Anti-Malware
    2009-06-11 17:23 . 2007-03-12 14:42 3495784 —-a-w- e:\winnt\system32\d3dx9_33.dll
    2009-06-11 17:07 . 2009-06-11 17:07 ——– d—–w- e:\documents and settings\Minda1\Application Data\InstallShield
    2009-06-08 17:37 . 2009-06-08 17:47 ——– d—–w- e:\documents and settings\Minda1\Application Data\EmailNotifier
    2009-06-08 17:37 . 2009-06-08 17:37 ——– d—–w- e:\documents and settings\All Users\Application Data\EmailNotifier
    2009-06-08 17:06 . 2007-01-24 18:27 67960 —-a-r- e:\winnt\system32\drivers\btwusb.sys
    2009-06-08 17:06 . 2006-10-15 17:04 106557 —-a-r- e:\winnt\system32\btw_ci.dll
    2009-06-07 04:42 . 2009-06-07 04:42 ——– d—–w- e:\program files\Handmark
    2009-06-04 06:48 . 2009-06-04 06:48 ——– d—–w- e:\documents and settings\All Users\Application Data\FRISK Software
    2009-06-04 06:48 . 2009-06-04 06:48 ——– d—–w- e:\program files\FRISK Software
    2009-06-01 13:15 . 2009-06-01 13:14 53248 —-a-w- e:\winnt\PalmDevC.dll
    2009-06-01 13:15 . 2009-06-01 13:15 8854 —-a-r- e:\documents and settings\Minda1\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut7_4B691FC6F103435EA1F6339BD6C78617.exe
    2009-06-01 13:15 . 2009-06-01 13:15 8854 —-a-r- e:\documents and settings\Minda1\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut15_4B691FC6F103435EA1F6339BD6C78617.exe
    2009-06-01 13:15 . 2009-06-01 13:15 8854 —-a-r- e:\documents and settings\Minda1\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut14_4B691FC6F103435EA1F6339BD6C78617.exe
    2009-06-01 13:15 . 2009-06-01 13:15 8854 —-a-r- e:\documents and settings\Minda1\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut13_4B691FC6F103435EA1F6339BD6C78617.exe
    2009-06-01 13:15 . 2009-06-01 13:15 8854 —-a-r- e:\documents and settings\Minda1\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut12_4B691FC6F103435EA1F6339BD6C78617.exe
    2009-05-27 12:24 . 2009-05-27 12:25 ——– d—–w- e:\program files\Abbyy FineReader 6.0 Sprint
    2009-05-27 12:23 . 2005-07-12 13:33 32768 —-a-w- e:\winnt\system32\LXPRMON.DLL
    2009-05-27 12:23 . 2005-07-12 13:33 20480 —-a-w- e:\winnt\system32\LXPMONUI.DLL
    2009-05-27 12:22 . 2005-07-12 13:36 12288 —-a-w- e:\winnt\system32\LXPMONRC.DLL
    2009-05-27 12:22 . 2009-05-27 12:24 ——– d—–w- e:\program files\Lexmark Fax Solutions
    2009-05-24 05:52 . 2009-05-24 05:52 ——– d—–w- e:\documents and settings\All Users\Application Data\GRETECH
    2009-05-24 05:50 . 2009-05-24 05:50 ——– d—–w- e:\documents and settings\Minda1\Application Data\GRETECH
    2009-05-24 05:50 . 2009-05-24 05:50 ——– d—–w- e:\program files\GRETECH
    2009-05-19 14:46 . 2009-05-19 14:46 ——– d—–w- e:\program files\Scenic- Halloween Horror
    2009-05-19 14:46 . 2009-05-19 14:46 2406547 —-a-w- e:\winnt\Scenic- Halloween Horror.scr
    2009-05-19 13:54 . 2009-05-19 13:54 ——– d—–w- e:\program files\HighCriteria
    2009-05-19 13:54 . 2006-12-05 16:01 54272 —-a-w- e:\winnt\system32\DrvTrNTm.dll
    2009-05-19 13:54 . 2006-12-05 16:01 106496 —-a-w- e:\winnt\system32\DrvTrNTl.dll
    2009-05-17 15:24 . 2009-05-17 15:26 2081496 —-a-w- e:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-14 18:21 . 2009-04-21 04:23 ——– d—a-w- e:\documents and settings\All Users\Application Data\TEMP
    2009-06-14 17:24 . 2008-04-04 06:51 ——– d—–w- e:\program files\Lx_cats
    2009-06-14 14:05 . 2008-04-07 16:55 4372 —-a-w- e:\winnt\system32\drivers\fwdrv.err
    2009-06-14 13:40 . 2009-04-21 09:23 ——– d—–w- e:\program files\GameTop.com
    2009-06-14 13:38 . 2009-04-20 12:57 ——– d—–w- e:\program files\Leopold
    2009-06-14 13:38 . 2009-04-20 12:56 ——– d–h–w- e:\program files\Zero G Registry
    2009-06-14 13:37 . 2009-04-20 12:00 ——– d—–w- e:\program files\FashionBoutique_at
    2009-06-11 17:10 . 2009-04-19 17:37 ——– d–h–w- e:\program files\InstallShield Installation Information
    2009-06-11 16:45 . 2008-04-04 05:07 ——– d—–w- e:\program files\Common Files\InstallShield
    2009-05-27 17:00 . 2009-05-27 12:19 ——– d—–w- e:\program files\Lexmark 2300 Series
    2009-05-13 17:07 . 2009-05-13 17:07 ——– d—–w- e:\program files\VikarPls
    2009-05-11 12:45 . 2009-05-11 12:41 ——– d—–w- e:\program files\NCH Software
    2009-05-11 12:42 . 2009-05-11 12:42 ——– d—–w- e:\documents and settings\Minda1\Application Data\NCH Software
    2009-05-11 12:42 . 2009-05-11 12:42 ——– d—–w- e:\documents and settings\All Users\Application Data\NCH Software
    2009-05-11 12:30 . 2009-04-28 06:57 ——– d—–w- e:\documents and settings\Minda1\Application Data\Ahead
    2009-05-10 13:31 . 2008-04-11 13:08 34584 —-a-w- e:\documents and settings\Minda1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-09 19:34 . 2009-05-09 19:34 ——– d—–w- e:\documents and settings\Minda1\Application Data\Xilisoft Corporation
    2009-05-09 19:31 . 2009-05-09 19:31 ——– d—–w- e:\program files\Xilisoft
    2009-05-08 12:29 . 2009-05-08 12:29 ——– d—–w- e:\documents and settings\Minda1\Application Data\FRISK Software
    2009-05-06 17:13 . 2009-05-06 17:13 ——– d—–w- e:\documents and settings\Minda1\Application Data\AdobeUM
    2009-05-06 17:11 . 2009-05-06 17:11 ——– d—–w- e:\program files\Common Files\Adobe
    2009-04-30 14:52 . 2009-04-30 14:52 ——– d—–w- e:\program files\OO Software
    2009-04-28 07:06 . 2009-04-28 07:06 ——– d—–w- e:\documents and settings\All Users\Application Data\LightScribe
    2009-04-28 06:59 . 2009-04-28 06:59 ——– d—–w- e:\program files\Common Files\LightScribe
    2009-04-28 06:56 . 2009-04-28 06:56 ——– d—–w- e:\documents and settings\All Users\Application Data\Ahead
    2009-04-28 06:55 . 2009-04-28 06:52 ——– d—–w- e:\program files\Common Files\Ahead
    2009-04-28 06:52 . 2009-04-28 06:52 ——– d—–w- e:\documents and settings\All Users\Application Data\Nero
    2009-04-28 06:52 . 2009-04-28 06:52 ——– d—–w- e:\program files\Nero
    2009-04-26 12:29 . 2009-04-26 12:29 ——– d—–w- e:\program files\Memphis Belle International
    2009-04-26 09:26 . 2009-04-26 09:26 ——– d—–w- e:\documents and settings\All Users\Application Data\Trymedia
    2009-04-25 06:01 . 2009-04-25 06:01 ——– d—–w- e:\documents and settings\All Users\Application Data\BigFishGamesCache
    2009-04-22 14:05 . 2009-04-22 14:05 ——– d—–w- e:\documents and settings\Guest\Application Data\FaxCtr
    2009-04-22 11:32 . 2009-04-22 11:32 971552 —-a-w- e:\winnt\system32\drivers\tdrpm174.sys
    2009-04-22 11:32 . 2009-04-22 11:32 540000 —-a-w- e:\winnt\system32\drivers\timntr.sys
    2009-04-22 11:32 . 2009-04-22 11:32 44704 —-a-w- e:\winnt\system32\drivers\tifsfilt.sys
    2009-04-22 11:32 . 2009-04-22 11:32 134272 —-a-w- e:\winnt\system32\drivers\snman380.sys
    2009-04-22 11:31 . 2009-04-22 11:31 ——– d—–w- e:\program files\Common Files\Acronis
    2009-04-22 11:31 . 2009-04-22 11:31 ——– d—–w- e:\program files\Acronis
    2009-04-22 04:07 . 2009-04-22 04:07 5875689 —-a-w- e:\winnt\img1600x1200_Speedracer.SCR
    2009-04-22 04:06 . 2009-04-22 04:06 ——– d—–w- e:\documents and settings\Minda1\Application Data\iScreensaver
    2009-04-21 17:25 . 2009-04-21 17:25 ——– d—–w- e:\documents and settings\All Users\Application Data\Avg7
    2009-04-21 16:57 . 2009-04-21 16:57 ——– d—–w- e:\documents and settings\Minda1\Application Data\Sonic
    2009-04-21 16:57 . 2009-04-21 16:57 ——– d—–w- e:\documents and settings\Minda1\Application Data\Leadertech
    2009-04-21 16:17 . 2009-04-21 13:57 86315 —-a-w- e:\winnt\PCHEALTH\helpctr\OfflineCache\index.dat
    2009-04-21 13:53 . 2008-04-04 04:12 22192 —-a-w- e:\winnt\system32\emptyregdb.dat
    2009-04-21 09:58 . 2009-04-21 09:58 ——– d—–w- e:\program files\X360 Tiff Image & Fax Viewer ActiveX Control
    2009-04-21 04:23 . 2009-04-21 04:23 ——– d—–w- e:\documents and settings\Minda1\Application Data\Total Eclipse
    2009-04-19 17:36 . 2009-04-19 17:36 ——– d—–w- e:\program files\PowerQuest
    2009-04-19 17:29 . 2009-04-19 17:29 ——– d—–w- e:\documents and settings\All Users\Application Data\InstallShield
    2009-04-19 17:28 . 2009-04-19 17:28 ——– d—–w- e:\program files\Common Files\SureThing Shared
    2009-04-19 17:28 . 2009-04-19 17:28 ——– d—–w- e:\program files\Sonic
    2009-04-19 15:09 . 2009-04-19 15:08 ——– d—–w- e:\documents and settings\Minda1\Application Data\TrueCrypt
    2009-04-19 15:08 . 2009-04-19 15:08 215872 —-a-w- e:\winnt\system32\drivers\truecrypt.sys
    2009-04-19 15:08 . 2009-04-19 15:08 ——– d—–w- e:\program files\TrueCrypt
    2009-04-19 14:26 . 2009-04-19 14:26 ——– d—–w- e:\documents and settings\Minda1\Application Data\Unity
    2009-04-19 13:11 . 2009-04-19 13:11 ——– d—–w- e:\program files\Unity
    2008-04-04 04:13 . 2008-04-04 04:13 21952 —ha-w- e:\program files\folder.htt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RegistryMechanic"="e:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="e:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
    "MSMSGS"="e:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
    "CTFMON.EXE"="e:\winnt\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PKWARE Certificate Proxy Client"="e:\progra~1\PKWARE\PKZIPW\pkpcsr.exe" [2008-03-28 226640]
    "ISUSPM Startup"="e:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="e:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "AcronisTimounterMonitor"="e:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-21 960528]
    "Acronis Scheduler2 Service"="e:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-21 165144]
    "OODefragTray"="e:\winnt\system32\oodtray.exe" [2007-05-11 2512392]
    "TotalRecorderScheduler"="e:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-12-05 114688]
    "LXCGCATS"="e:\winnt\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
    "lxcgmon.exe"="e:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
    "EzPrint"="e:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
    "FaxCenterServer"="e:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
    "F-PROT Antivirus Tray application"="e:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 1597832]
    "Synchronization Manager"="mobsync.exe" - e:\winnt\system32\mobsync.exe [2004-08-04 143360]
    "VTTimer"="VTTimer.exe" - e:\winnt\system32\VTTimer.exe [2004-05-27 49152]
    "VTTrayp"="VTtrayp.exe" - e:\winnt\system32\VTTrayp.exe [2004-06-07 143360]
    "SoundMan"="SOUNDMAN.EXE" - e:\winnt\SOUNDMAN.EXE [2004-10-27 73728]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "internat.exe"="internat.exe" - e:\winnt\system32\internat.exe [2003-06-20 20752]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="e:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
    "tscuninstall"="e:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

    e:\documents and settings\Minda1\Start Menu\Programs\Startup\
    Shortcut to TCLOCKEX.EXE.lnk - d:\utilities\TCLOCK\TCLOCKEX.EXE [2004-9-27 89088]
    Start Firewall.lnk - e:\winnt\system32\net.exe [2004-8-4 42496]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=DrvTrNTm.dll
    "wave"=DrvTrNTm.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\[u:ca794a7df8]0[/u:ca794a7df8]OODBS

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
    @="Service"

    [HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=e:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "UPS"=3 (0x3)
    "O&O Defrag"=2 (0x2)
    "mnmsrvc"=3 (0x3)
    "LightScribeService"=2 (0x2)
    "Fax"=2 (0x2)
    "ERSvc"=2 (0x2)
    "AcrSch2Svc"=2 (0x2)
    "BITS"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\Messenger\\msmsgs.exe"=

    R0 FPAV_RTP;FPAV_RTP;e:\winnt\system32\drivers\FStopW.sys [26-Jul-08 10:45 AM 592224]
    R0 snapman380;Acronis Snapshots Manager (Build 380);e:\winnt\system32\drivers\snman380.sys [22-Apr-09 1:32 PM 134272]
    R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);e:\winnt\system32\drivers\tdrpm174.sys [22-Apr-09 1:32 PM 971552]
    R1 fwdrv;Firewall Driver;e:\winnt\system32\drivers\fwdrv.sys [18-Jul-06 12:02 PM 284184]
    R1 khips;Kerio HIPS Driver;e:\winnt\system32\drivers\khips.sys [18-Jul-06 12:02 PM 91672]
    R2 FPAVServer;F-PROT Antivirus for Windows system;e:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [21-Apr-08 9:26 PM 45960]
    S3 usbhub20;USB 2.0 Root Hub Support;e:\winnt\system32\drivers\usbhub20.sys [04-Apr-08 8:06 AM 49776]
    S3 viafilter;VIA USB Filter;e:\winnt\system32\drivers\viausb.sys [04-Apr-08 7:08 AM 9038]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "e:\program files\Common Files\LightScribe\LSRunOnce.exe"
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-sglfb.sys
    SafeBoot-tga.sys


    .
    ——- Supplementary Scan ——-
    .
    uStart Page = about:blank
    IE: &Search
    IE: Download with Xilisoft YouTube Video Converter - e:\program files\Xilisoft\YouTube Video Converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-14 20:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ——————— LOCKED REGISTRY KEYS ———————

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG10.00.00.01WORKSTATION"="D22612196B357CB88B87CEB4353B0F38874B7251F3C7DBE183D9DE563A521107815D107689897A31232DC6A077F2B481970D464BDF5077DA9041A70127D76AE252EE334A103E0CC94C49D0DE9711A56ABF9589ADECD857B281778E2E719528E33D9860064C8A321ED51176FD8C50D4BACA2C82445CC0FDFD387ABB86C030FE8B5B2D404E707473BBB24B003DB33D39AFA3AFBD0D533C7346B8DA1DE3259FA6D1FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A9C6AECB7A5D1407C038D530D6EB34525303E08FAC8639B34784253E2B037C3AC65346E0B4FD019E4E78A6C603CD2A76E9DCE122FB5708DAF1975AD6B403F0A1558A5C27040229EAF256C922246C96FE059C56E965A608F71C8ADAC9711A0FC026BE31971E3D616011F7A16A4E6F53976994639FE31D59CB21E62CAC463827C4D04DC945F185CCB8162E555018B172287F2F70ACD8B89F0C83C89445FDA18CD00DA86E72D0030F2316E0CD34FEDF8C0DD166283108CD81E16762A01043EC997A3AD72C99F131D342C78B3A2AE07CBB16914B797D1A032C69947AA2BCA907A9CB58F3D465706348AE063D0D7D815D9D87128198999BD2CD35F9E62C2EA6B01EC210AC7E37C8BC1DF24F997B2B08AA56984AC3FABF7C0B1BC7A71895FB12FB5CD1A94201A45FB5090C46D7006580658A76D75B5CDC91504C9D528EFBF22BCFCADD120CF9F4781CC46FB2C2588FD9DBE640792A3C1792181B2053DDBE1112EA58C15DF4CA24418F8E03FEB908466736980A93A45E419C2D4733A631840ACB5AF3CBC0FA18644585A7A13A305354606D535C2DD2C8E7302E962AEE453146C38493BE15304A98F848569B172EC53DE14ECD3373D047C832104F4E6F6BF3E0C51FAECD593A105B327263B26C4EAC35E8FCC17E36CD68D6E896BCDD1108BCA8833643A52FD45A76AA759E9EB6BE1BA5D9EC6EA2698F80B8825FAF88E1963EA112A950635CCC5DEC02155609124567ADFCE816F6A36E26488F56FA73912272046B2EDB98CA0593F139EC621343B62A9DFB8F8047A1D5B394034076B875CC94BAEC4AEE4C09F2B8EEB7E61CCE3100C2FAE7517654434749E037B27E64084CA4E5D75A94F7C723CE7EC7C4E042E69ED200B373C7520DD44922671AF077E368E558518EDE8A5DB19B74171C136A11A84199B592C768A5A8DB83B233B3E74A806399E26A6163C4D1A6D1B95497B585C2B7E8AA19CBB2DA7EEA6420122C9DA104E5E47BC4B55B1A493DD124AB5805B92A2444B1CAAEC299A6A6D4171D48F5F1797FAAE94BF63CA073F1DE3131C13249AC3835CD3D4F1BF806819F631075C2E7F9840E64FBC7C13DBD991B214BC707F02DEA78665991B32E1333BAB577A84854B20D66062BCCA0"
    .
    ——————— DLLs Loaded Under Running Processes ———————

    - - - - - - - > 'explorer.exe'(2728)
    e:\winnt\system32\msi.dll
    .
    ———————— Other Running Processes ————————
    .
    e:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    e:\winnt\system32\CF29073.exe
    e:\winnt\system32\wdfmgr.exe
    e:\winnt\system32\mspmspsv.exe
    e:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    e:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    e:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
    e:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    e:\winnt\system32\wscntfy.exe
    e:\winnt\system32\lxcgcoms.exe
    .
    **************************************************************************
    .
    Completion time: 2009-06-14 20:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-06-14 18:25

    Pre-Run: 10,014,527,488 bytes free
    Post-Run: 12,249,354,240 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    C:\="Microsoft Windows"

    250

    *****************************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:58:49 PM, on 14-Jun-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\WINNT\system32\VTTimer.exe
    E:\WINNT\system32\VTtrayp.exe
    E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    E:\WINNT\SOUNDMAN.EXE
    E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    E:\WINNT\system32\oodtray.exe
    E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    E:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    E:\Program Files\Registry Mechanic\RegMech.exe
    E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\WINNT\system32\ctfmon.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    E:\WINNT\system32\wscntfy.exe
    E:\WINNT\system32\lxcgcoms.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\explorer.exe
    E:\WINNT\system32\notepad.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [PKWARE Certificate Proxy Client] E:\PROGRA~1\PKWARE\PKZIPW\pkpcsr.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OODefragTray] E:\WINNT\system32\oodtray.exe
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 E:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "E:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINNT\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-1801674531-1177238915-839522115-501\..\Run: [internat.exe] internat.exe (User 'Guest')
    O4 - HKUS\S-1-5-21-1801674531-1177238915-839522115-501\..\Run: [LightScribe Control Panel] E:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Guest')
    O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Shortcut to TCLOCKEX.EXE.lnk = D:\Utilities\TCLOCK\TCLOCKEX.EXE
    O4 - Startup: Start Firewall.lnk = E:\WINNT\system32\net.exe
    O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - E:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: lxcg_device - - E:\WINNT\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    End of file - 6315 bytes


    Ben benieuwd of er nog iets is te vinden.
    Zal alert blijven.
    Hartelijk dank
    MVG perloc
  • Nog even dit:
    Tijdens afsluiten voor reboot na Combofix zag ik een venster waarin stond: Catchme.dfexe
    Van die df ben ik niet helemaal zeker omdat het venster maar even zichtbaar was. Maar Catchme geeft me wel te denken….
    Wat is de mening van de heren?
    Opzoeken en deleten?
    perloc
  • catchme.exe is van combofix.
  • Fijn dat je probleem lijkt opgelost, de Outlook Express moet je misschien opnieuw installeren, via Configuratie>Software>Windows onderdelen toevoegen>Outlook express.

    Daarna waarschijnlijk je Pop3 en SMTP adres opnieuw invullen.


    Het is maar een idee.
  • Sinds een paar dagen meldt mijn virus scanner regelmatig het een of ander W32 virus. Die worden in de regel in quarantaine gezet. Maar omdat het steeds terugkomt zou ik willen verzoeken naar mijn Hijacthis.log file te kijken. Hier volgt die en alvast bedankt.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:28:20 PM, on 10-Jun-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\VTTimer.exe
    E:\WINNT\system32\VTtrayp.exe
    E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    E:\WINNT\SOUNDMAN.EXE
    E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    E:\WINNT\system32\oodtray.exe
    E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    E:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    E:\Program Files\Lexmark 2300 Series\ezprint.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    E:\Program Files\Registry Mechanic\RegMech.exe
    E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    E:\WINNT\system32\ctfmon.exe
    E:\WINNT\system32\cisvc.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    E:\WINNT\system32\lxcgcoms.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\WINNT\system32\wscntfy.exe
    E:\WINNT\system32\cidaemon.exe
    E:\WINNT\System32\svchost.exe
    D:\Utilities\Hijjackthis\HIJACKTH.EXE

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [PKWARE Certificate Proxy Client] E:\PROGRA~1\PKWARE\PKZIPW\pkpcsr.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OODefragTray] E:\WINNT\system32\oodtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 E:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "E:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    O4 - Startup: Shortcut to TCLOCKEX.EXE.lnk = D:\Utilities\TCLOCK\TCLOCKEX.EXE
    O4 - Startup: Start Firewall.lnk = E:\WINNT\system32\net.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk570YYMZ
    O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - E:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab
    O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe (file missing)
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: lxcg_device - - E:\WINNT\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    MVG perloc
  • Kan je het niet oplossen met Malwarebytes ?
    http://www.malwarebytes.org/mbam.php
  • Ik zou bv eerst eens een nieuwe versie van Hijackthis gebruiken, deze is stokoud.

    Ten tweede mis ik een aantal elementen in de logfile, bv die van de browser die je gebruikt.
  • Eddy X: ik heb mbam gedraaid in de quick mode en hij heeft 4 virussen gevonden en verwijderd. Een complete draai duurt op dit moment te lang en zal ik later op de avond starten.

    Edouard: ik heb de nieuwste (denk ik) versie van hijackthis gedownload en een uitdraai gemaakt. Hier is de log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:25 PM, on 11-Jun-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\savedump.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\VTTimer.exe
    E:\WINNT\system32\VTtrayp.exe
    E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    E:\WINNT\SOUNDMAN.EXE
    E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    E:\WINNT\system32\oodtray.exe
    E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    E:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    E:\Program Files\Lexmark 2300 Series\ezprint.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    E:\Program Files\Registry Mechanic\RegMech.exe
    E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    E:\WINNT\system32\ctfmon.exe
    E:\WINNT\system32\cisvc.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    E:\WINNT\system32\lxcgcoms.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    E:\WINNT\system32\wscntfy.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    C:\WINDOWS\system32\bndmss.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [PKWARE Certificate Proxy Client] E:\PROGRA~1\PKWARE\PKZIPW\pkpcsr.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OODefragTray] E:\WINNT\system32\oodtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 E:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "E:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1801674531-1177238915-839522115-501\..\Run: [internat.exe] internat.exe (User 'Guest')
    O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Shortcut to TCLOCKEX.EXE.lnk = D:\Utilities\TCLOCK\TCLOCKEX.EXE
    O4 - Startup: Start Firewall.lnk = E:\WINNT\system32\net.exe
    O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - E:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: lxcg_device - - E:\WINNT\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    End of file - 6593 bytes

    Alvast dank voor een "survey"!

    MVG perloc
  • Ik zie nu niets bijzonders meer, alleen deze

    [b:4062e02416]O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe [/b:4062e02416]

    was in de vorige logfile anders, daar stond [b:4062e02416]file missing[/b:4062e02416], waarschijnlijk opgelost door MBam.

    Kijk het even aan.
  • Gisteravond voor het naar bed gaan Mbam nog een keer gestart voor een volledige scan. Heeft er nog 3 gevonden waarvan 2 gedelete en de laatste zou na een reboot weg moeten zijn.
    Bovendien had F-prot gisteren ook die vermaledijde bndmess.exe gevonden in de win32 folder. Die heb ik handmatig verwijderd. Vanmorgen f-prot opnieuw gedraaid voor het hele systeem. Heeft nog 1 W32 gevonden en geparkeerd (in quarantaine).
    Zal eens kijken of het nu opgelost is.

    Hartelijk dank.
    perloc
  • Dan deze

    http://www.baidumsg.com/Howtoremove/Howtoremove_67786.html

    Opnieuw een Hijackthis draaien na bovengenoemde aktie en eventueel
    die O23 verwijderen met fix.
  • En deze is ook nuttig

    http://greatis.com/appdata/d/b/bndmss.exe.htm
  • Ik geloof dat ik hem kwijt ben. Mijn computer is weer op normale snelheid.
    Ik heb het lijstje uit je eerste link op twee punten afgewerkt. Punt 4 en punt 6 daar wist ik geen raad mee. Hoe kan ik (pnt 6) alle files geinfecteerd door bndmss deleten? Dat kan alleen met een virus-scanner.
    Na de hele sessie was bndmss weer vrolijk terug. Die was te vinden in mijn W98 partitie in system32. Zonder meer was die niet te deleten maar met de onvolprezen Killbox lukte dat wel. Ook in mijn WinXP partitie in \winnt\prefect stond een prefect naar bndmss. Die heb ik ook ge-delete. Daarna nog een keer het register nagezocht waar die ook een paar keer weer instond en daar ook ge-delete en toen leek, na een reboot de computer weer schoon want reageerde zoals voorheen. Dus aanmerkelijk sneller. We zullen zien of het nu schoon is.

    Hier is de Hijackthis log file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:57:17 PM, on 12-Jun-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\VTTimer.exe
    E:\WINNT\system32\VTtrayp.exe
    E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    E:\WINNT\SOUNDMAN.EXE
    E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    E:\WINNT\system32\oodtray.exe
    E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    E:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    E:\Program Files\Lexmark 2300 Series\ezprint.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    E:\Program Files\Registry Mechanic\RegMech.exe
    E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    E:\WINNT\system32\ctfmon.exe
    E:\WINNT\system32\cisvc.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    E:\WINNT\system32\lxcgcoms.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    E:\WINNT\system32\wscntfy.exe
    E:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\cidaemon.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [PKWARE Certificate Proxy Client] E:\PROGRA~1\PKWARE\PKZIPW\pkpcsr.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OODefragTray] E:\WINNT\system32\oodtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 E:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "E:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1801674531-1177238915-839522115-501\..\Run: [internat.exe] internat.exe (User 'Guest')
    O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Shortcut to TCLOCKEX.EXE.lnk = D:\Utilities\TCLOCK\TCLOCKEX.EXE
    O4 - Startup: Start Firewall.lnk = E:\WINNT\system32\net.exe
    O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - E:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: lxcg_device - - E:\WINNT\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    End of file - 6558 bytes

    Nogmaals dank.
    Ik kom terug als het probleem ook weer terugkomt.
    MVG perloc
  • Niet weg helaas!!
    Vanmorgen de computer opgestart en gelijk weer twee meldingen van w32 virussen. Hoe nu verder? Het vervelende is dat het in alle 3 de partities voorkomt.
    perloc
  • Je moet nu wel je herstelpunten verwijderen, anders heb je het zo weer terug.
  • Het lijkt er sterk op dat de ellende over is. Tot nu toe gaat het prima en er zijn geen virus meldingen, dat wil zeggen het volgende:
    Mijn zoon heeft voor zijn verjaardag een aantal computer-games gekregen. Een daarvan heet "Worms 4 Mayhem".
    Nu, dat schiet mijn virus-scanner (F-prot) in het verkeerde keelgat: alles waar die naam "Worms" in voorkomt wordt in quarantaine gezet; daardoor kan hij het spelletje niet spelen.
    Het is ook wel stom, vind ik, van de fabrikant om je spelletje Worms te noemen,
    bij mij althans gaat er onmiddellijk een bel rinkelen als ik iets van Worm op de computer tegen kom.

    Een ander probleem (2 stuks) is het volgende.
    Combofix heeft nu wel mooi het probleem ge-(combo)fixed, maar heeft wel een paar dingen veranderd.
    1. De boot-manager wordt overgeslagen en de computer start onmiddellijk door in WinXP
    2. In Outlook Express kan ik niet meer mail zenden noch ontvangen: "Send and Receive" is grijs en dus werkt het niet (meer).
    Wat betreft die bootmanager zal ik eens kijken in de bootsector of ik dat kan oplossen. Voor de mail heb ik geen oplossing bijdehand. Iemand?
    MVG perloc
  • Nee Edouard, het probleem is nooit weggeweest.

    Start hijackthis en kies voor 'do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:

    [b:ee6c1d36f8]O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe [/b:ee6c1d36f8]

    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.



    Download GV Killer.exe.
    Zet het in een eigen map bijvoorbeeld in de map C:\Program Files\GV Killer en maak vervolgens een snelkoppeling van C:\Program Files\GV Killer\GV Killer.exe naar je bureaublad.
    Start GV Killer en gebruik Kopiëren en Plakken om de namen van onderstaande bestanden en mappen in het bestand C:\Program Files\GV Killer\input.txt te zetten.

    [b:ee6c1d36f8]C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe [/b:ee6c1d36f8]

    Sluit het bestand C:\Program Files\GV Killer\input.txt en druk op de toets Start Killing om het programma te starten.
    Plaats de inhoud van het bestand C:\GV Killer.txt in je volgende bericht.




    Download [b:ee6c1d36f8] en sla het op je bureaublad op.
    Dubbelklik op [b:ee6c1d36f8]mbam-setup.exe[/b:ee6c1d36f8] om het programma te installeren.

    Zorg dat er na de installatie een vinkje is geplaatst bij:[list:ee6c1d36f8]
    [*:ee6c1d36f8]Update MalwareBytes' Anti-Malware
    [*:ee6c1d36f8]Start MalwareBytes' Anti-Malware
    [/list:u:ee6c1d36f8]Klik daarna op "[b:ee6c1d36f8]Voltooien[/b:ee6c1d36f8]".
    Indien een update gevonden wordt, zal die gedownload en geïnstalleerd worden.[list:ee6c1d36f8]
    [*:ee6c1d36f8]Zodra het programma gestart is, ga dan naar het tabblad "[b:ee6c1d36f8]Instellingen[/b:ee6c1d36f8]".
    [*:ee6c1d36f8]Vink hier aan: "[b:ee6c1d36f8]Sluit Internet Explorer tijdens verwijdering van malware[/b:ee6c1d36f8]".
    [*:ee6c1d36f8]Ga daarna naar het tabblad "[b:ee6c1d36f8]Scanner[/b:ee6c1d36f8]", kies hier voor "[b:ee6c1d36f8]Snelle Scan[/b:ee6c1d36f8]".
    [*:ee6c1d36f8]Druk vervolgens op "[b:ee6c1d36f8]Scannen[/b:ee6c1d36f8]" om de scan te starten.
    [*:ee6c1d36f8]Het scannen kan een tijdje duren, dus wees geduldig.

    [*:ee6c1d36f8]Wanneer de scan voltooid is, klik op [b:ee6c1d36f8]OK[/b:ee6c1d36f8], daarna "[b:ee6c1d36f8]Bekijk Resultaten[/b:ee6c1d36f8]" om de resultaten te zien.
    [*:ee6c1d36f8]Zorg ervoor dat daar alles aangevinkt is, daarna klik op: "[b:ee6c1d36f8]Verwijder geselecteerde[/b:ee6c1d36f8]".
    [*:ee6c1d36f8]Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.
    [/list:u:ee6c1d36f8]Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de "[b:ee6c1d36f8]Logs[/b:ee6c1d36f8]" tab te klikken in het programma.

    Plaats dit logje samen met een nieuw logje van HijackThis
  • Here we go!
    Ik heb het hele verhaal afgewerkt.
    Ben tot 3 keer opnieuw moeten beginnen omdat halfweg de computer niet meer vooruit te branden was.
    Totaan MBAM ging voorspoedig, mbam start zeer langzaam op (minuten), de update heb ik met de hand moeten starten en na de update kreeg een zandloper die niet weg wilde. Zag dat er Internet activiteit was en heb de stekker uit de telefoondoos afgekoppeld. Zandloper verdween en ik kon verder.
    Scannen met mbam duurde 15 min. en er zijn twee problemen gevonden.

    Na reboot van computer vond f-prot weer gelijk twee w32 virussen: 642.exe en 239.exe Dat is niet erg hoopvol….

    Hier komen de 3 log files:
    Logfile gv_killer_03.txt v7.0.9 - Copyright © GV_Soft Guido Vaesen
    Rapport datum: 13-Jun-09 8:13:34 PM log van Minda1 , Beheerder van deze computer
    Platform: Windows XP Prof SP2 ENU Normale modus

    BEGIN Geplande taken—————————————————————–
    EINDE Geplande taken—————————————————————–


    Lijst Notify keys——————————————————————–
    HKLM\software\microsoft\windows nt\currentversion\winlogon\notify
    wzcnotif wzcdlg.dll
    Einde Notify keys——————————————————————–

    Verklaring Errorcodes—————————————————————-
    code 00 : Bestand is verwijderd.
    code 53 : Bestand of map werd niet gevonden op uw PC.
    code 70 : Bestand was in gebruik.
    code 75 : Services zijn nog geladen of bestand in gebruik.
    code M0 : Map is verwijderd.
    code ML : Map is volledig leeg gemaakt.
    code MN : Map werd niet gevonden op uw PC, is niet leeg gemaakt.
    code MV : Map werd niet gevonden op uw PC, is niet verwijderd.
    code K0 : Register key is verwijderd.
    Einde Errorcodes——————————————————————–

    BEGIN Inhoud van Input.txt———————————————————–
    C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    EINDE Inhoud van Input.txt———————————————————–

    00 C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    EINDE Inhoud van Input.txt———————————————————–


    ;3476487-009-8073003-22515=5JVTGRYD13

    ;EINDE GV_Killer ———————————————————————
    ***********************
    Malwarebytes' Anti-Malware 1.37
    Database version: 2272
    Windows 5.1.2600 Service Pack 2

    13-Jun-09 8:41:56 PM
    mbam-log-2009-06-13 (20-41-56).txt

    Scan type: Quick Scan
    Objects scanned: 98402
    Time elapsed: 15 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    e:\documents and settings\Minda1\local settings\Temp\865.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    *******************************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:01:12 PM, on 13-Jun-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\VTTimer.exe
    E:\WINNT\system32\VTtrayp.exe
    E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    E:\WINNT\SOUNDMAN.EXE
    E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    E:\WINNT\system32\oodtray.exe
    E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    E:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    E:\Program Files\Lexmark 2300 Series\ezprint.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    E:\Program Files\Registry Mechanic\RegMech.exe
    E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    E:\WINNT\system32\ctfmon.exe
    E:\WINNT\system32\cisvc.exe
    E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\mspmspsv.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    E:\WINNT\system32\lxcgcoms.exe
    E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    E:\WINNT\system32\wscntfy.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\WINNT\system32\cidaemon.exe
    E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,E:\DOCUME~1\Minda1\LOCALS~1\Temp\081.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [PKWARE Certificate Proxy Client] E:\PROGRA~1\PKWARE\PKZIPW\pkpcsr.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [OODefragTray] E:\WINNT\system32\oodtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "E:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 E:\WINNT\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "E:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "E:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINNT\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1801674531-1177238915-839522115-501\..\Run: [internat.exe] internat.exe (User 'Guest')
    O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] E:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Shortcut to TCLOCKEX.EXE.lnk = D:\Utilities\TCLOCK\TCLOCKEX.EXE
    O4 - Startup: Start Firewall.lnk = E:\WINNT\system32\net.exe
    O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - E:\Program Files\Xilisoft\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - E:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - E:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: lxcg_device - - E:\WINNT\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    End of file - 6338 bytes
    *******************************


    Dat was ut.
    Hartelijke dank voor de moeite.
    Edouard: ik HAD de herstelpunten verwijderd, want dat gebeurt automatisch als je de system restore op non-actief zet.

    MVG perloc

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.