System security - virus?

Geert

05-01-2009 14:28

Beste experts,
Gister vond mijn vader op zijn computer een programma. Hij kreeg meldingen van kwade software en het viel mij op dat er een soort virusscanner op de pc stond die ik niet kende bij ons thuis. Om de zoveel tijd gaf dit programmaatje in de system tray een berichtje (met z'n leuke plop), dat er nog kwade software op de pc stond. Ook sprong er af en toe een scherm in beeld met het zelfde bericht en zelfs een scherm met resultaten van een scan, waarbij gevraagd werd besmette programma's te verwijderen (waaronder ik een aantal herkende als zeer belangrijk voor het functioneren van de pc).
Ik zag de bui dus al hangen en ging op zoek naar informatie over het programma, genoemd System security. Nadat Google natuurlijk een enorme hoeveelheid hits gaf, verfijnde ik mijn zoektocht met de term virus en ook -anti. Toen kreeg ik twee hits boven aan de pagina die ook vertelden over hetzelfde programma, met als icoon een zwart-geel schildje. Een virus, vertelden de reacties.
Dus ik heb iedereen weggeschopt bij de pc en alle stappen gevolgd die jullie aanraden. Na Spybot, Ad-Aware en MBAM een reset en tot mijn blijde verbazing was het programmaatje er niet meer. Toch de rest van de stappen doorlopen en graag wil ik weten of we nu weer clean zijn.
Logje van Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18:10, on 05-01-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\Blokker Bestelsoftware\Agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: SOUNDMAN.EXE
O4 - HKLM\..\Run: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM\..\Run: “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM\..\Run: “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM\..\Run: “C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE” /s
O4 - HKLM\..\Run: “C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe”
O4 - HKLM\..\Run: “C:\Program Files\Blokker Bestelsoftware\Agent.exe”
O4 - HKCU\..\Run: “C:\Program Files\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU\..\Run: “C:\Program Files\TomTom HOME 2\HOMERunner.exe”
O4 - HKCU\..\Run: C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKUS\S-1-5-19\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-20\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - http://thuis.koninginwilhelminaschool.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://thuis.koninginwilhelminaschool.net/msrdp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
–
End of file - 9071 bytes
Logje van MBAM:
Malwarebytes' Anti-Malware 1.32
Database versie: 1617
Windows 5.1.2600 Service Pack 3
05-01-2009 13:56:58
mbam-log-2009-01-05 (13-56-58).txt
Scan type: Snelle Scan
Objecten gescand: 81924
Verstreken tijd: 20 minute(s), 0 second(s)
Geheugenprocessen geïnfecteerd: 1
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 1
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 4
Geheugenprocessen geïnfecteerd:
C:\Documents and Settings\All Users\Application Data\1088539997\1701140033.exe (Rogue.SystemSecurity) -> Unloaded process successfully.
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1701140033 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
C:\Documents and Settings\All Users\Application Data\1088539997\1701140033.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\gebruiker\Local Settings\Temporary Internet Files\Content.IE5\OS38VMQ4\install.exe (Rogue.Winweb) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Firewall.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\gebruiker\Bureaublad\System Security.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
Alvast bedankt voor de analyse ik blijf geregeld kijken voor jullie antwoord.
Met vriendelijke groeten,
Mark.
Teaser

05-01-2009 16:09

Download Combofix naar je Bureaublad.
Dubbelklik Combofix.exe
Volg de instructies, accepteer de disclaimer door “y” of “Y” te typen.
Tijdens het runnen van de fix, NIET in het venster klikken, want dan zal je pc gaan “hangen”.
NB Indien je virusscanner reageert met een melding van een scriptuitvoering, kun je dit negeren.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log even hier.
Geert

05-01-2009 17:07

Beste Teaser,
Combofix geinstalleerd, uitgevoerd. Kreeg na de opstart alleen een melding dat ie temp01 niet kon vinden, maar daarna verscheen gewoon het logje.
Log Combofix:
ComboFix 09-01-05.01 - gebruiker 2009-01-05 16:55:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.511.144
Gestart vanuit: c:\documents and settings\gebruiker\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\30007E3.exe
c:\windows\system32\ftpupd.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-12-05 to 2009-01-05 ))))))))))))))))))))))))))))))
.
2009-01-05 14:03 . 2009-01-05 14:03 d——– c:\program files\Trend Micro
2009-01-05 13:22 . 2009-01-05 13:22 d——– c:\program files\Malwarebytes' Anti-Malware
2009-01-05 13:22 . 2009-01-05 13:22 d——– c:\documents and settings\gebruiker\Application Data\Malwarebytes
2009-01-05 13:22 . 2009-01-05 13:22 d——– c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 13:22 . 2009-01-04 18:38 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 13:22 . 2009-01-04 18:38 15,504 –a—— c:\windows\system32\drivers\mbam.sys
2009-01-05 13:18 . 2009-01-05 13:18 d——– c:\program files\CleanUp!
2009-01-05 11:48 . 2009-01-05 11:48 d——– c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-05 11:48 . 2009-01-05 11:48 d——– c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-05 11:48 . 2009-01-05 11:48 d——– c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-05 11:48 . 2009-01-05 11:48 d——– c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-04 18:11 . 2009-01-04 18:11 d——– c:\documents and settings\All Users\Application Data\1088539997
2008-12-29 13:44 . 2008-12-29 14:00 17,554 –a—— c:\documents and settings\gebruiker\Application Data\mdbu.bin
2008-12-29 13:11 . 2008-12-29 13:11 d——– c:\documents and settings\All Users\Application Data\HEMA Fotoservice
2008-12-13 15:37 . 2008-12-13 15:37 d——– c:\windows\system32\nl
2008-12-13 15:37 . 2008-12-13 15:37 d——– c:\windows\l2schemas
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 16:00 13,880 —-a-w c:\windows\system32\drivers\COMFiltr.sys
2009-01-05 16:00 ——— d—–w c:\program files\SPAMfighter
2009-01-05 12:59 ——— d—–w c:\program files\Spybot - Search & Destroy
2009-01-05 10:54 ——— d—–w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 12:16 55,610 —-a-w c:\documents and settings\gebruiker\Application Data\wklnhst.dat
2009-01-03 12:50 ——— d—–w c:\program files\Winamp
2008-12-29 12:42 ——— d—–w c:\program files\HEMA Fotoservice
2008-12-19 15:43 ——— d—–w c:\documents and settings\gebruiker\Application Data\Ahead
2008-12-18 10:43 ——— d—–w c:\program files\Blokker Bestelsoftware
2008-12-18 10:38 9 —-a-w c:\documents and settings\gebruiker\Application Data\mdb.bin
2008-12-15 10:48 ——— d—–w c:\program files\MSN Messenger
2008-05-01 15:25 85,224 —-a-w c:\documents and settings\gebruiker\Application Data\GDIPFONTCACHEV1.DAT
2007-11-22 20:33 9,928 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\unins000.dat
2007-06-07 16:08 1,152,512 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\altconverter.exe
2007-04-11 13:43 110,592 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\ffx.dll
2007-03-21 14:41 270,336 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\mpeg2lib.dll
2007-03-21 14:40 98,304 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\csslib.dll
2007-03-09 16:03 1,290,240 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\cominterf.dll
2007-03-05 16:20 196,608 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\Ripper.dll
2007-01-30 01:59 7,165,440 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\avcodec-51.dll
2007-01-30 01:59 490,496 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\avformat-51.dll
2007-01-30 01:59 19,968 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\avutil-49.dll
2007-01-30 01:59 142,848 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\swscale-0.dll
2006-10-05 17:21 69,632 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\Cleanacp.exe
2006-06-26 22:45 258,048 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\SDL.dll
2005-11-23 19:48 262,144 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\libsndfile.dll
2005-06-29 19:48 138,240 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\vorbis.dll
2005-06-29 19:47 9,216 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\ogg.dll
2005-06-10 19:04 83,456 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\CDRip.dll
2004-10-15 08:32 65,024 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\vorbisenc.dll
2004-04-05 23:37 0 —-a-w c:\windows\system32\config\systemprofile\Application Data\wklnhst.dat
2004-04-02 03:00 76,745 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\unins000.exe
2003-03-02 17:18 573,440 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\id3lib.dll
2003-02-21 03:42 348,160 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\msvcr71.dll
2002-01-03 22:50 69,632 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\WMA8Connect.dll
2001-07-05 20:25 132,096 —-a-w c:\documents and settings\Alt WAV MP3 WMA OGG Converter\lame_enc.dll
1998-09-25 20:16 270,848 —-a-w c:\program files\UNWISE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
“MessengerPlus3”=“c:\program files\Messenger Plus! 3\MsgPlus.exe”
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe”
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“msnmsgr”=“c:\program files\MSN Messenger\msnmsgr.exe”
“TomTomHOME.exe”=“c:\program files\TomTom HOME 2\HOMERunner.exe”
“InstantTray”=“c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe”
“IW_Drop_Icon”=“c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe”
“PinnacleDriverCheck”=“c:\windows\system32\PSDrvCheck.exe”
“Microsoft Works Update Detection”=“c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe”
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_07\bin\jusched.exe”
“Google Desktop Search”=“c:\program files\Google\Google Desktop Search\GoogleDesktop.exe”
“SPAMfighter Agent”=“c:\program files\SPAMfighter\SFAgent.exe”
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe”
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe”
“APVXDWIN”=“c:\program files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE”
“SCANINICIO”=“c:\program files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe”
“ExtraFilmHemmaAgent”=“c:\program files\Blokker Bestelsoftware\Agent.exe”
“MSConfig”=“c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe”
“SoundMan”=“SOUNDMAN.EXE”
“CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE”
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE
2008-03-18 15:58 58672 c:\windows\system32\avldr.dll
“VIDC.GTCC”= GTCODEC.DLL
“vidc.I420”= vdrcodec.dll
BootExecute REG_MULTI_SZ autocheck autochk *\0
@=“Service”
–a—— 2005-05-27 14:59 323584 c:\program files\Blokker Bestelsoftware\Agent.exe
–a—— 2003-08-25 16:06 745984 c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
–a—— 2003-09-01 13:28 1134080 c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
–a—— 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
–a—— 2001-02-06 02:04 155648 c:\documents and settings\gebruiker\Mijn documenten\RealPopup\RealPopup.exe
“DisableMonitoring”=dword:00000001
“%windir%\\system32\\sessmgr.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth II\\game.dat”=
“c:\\Program Files\\BitComet\\BitComet.exe”=
“c:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp”=
“c:\\Documents and Settings\\gebruiker\\Mijn documenten\\Downloads\\LimeWire\\LimeWire.exe”=
“c:\\Program Files\\Ares\\Ares.exe”=
“c:\\Program Files\\MSN Messenger\\msnmsgr.exe”=
“c:\\Program Files\\MSN Messenger\\livecall.exe”=
R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys
R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys
R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys –> c:\windows\system32\PavTPK.sys
R4 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda –> c:\windows\system32\svchost -k Panda
R4 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys
R4 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Antivirus Pro 2009\psksvc.exe
R4 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
S4 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys
panda REG_MULTI_SZ Gwmsrv
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
.
Inhoud van de ‘Gedeelde Taken’ map
2008-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS VERWIJDERD - - - -
HKLM-Run-NWEReboot - (no file)
.
——- Bijkomende Scan ——-
.
uLocal Page = %SystemRoot%\blank.htm
uStart Page = hxxp://www.startpagina.nl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = %SystemRoot%\blank.htm
mStart Page = hxxp://www.msn.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
.
——- Bestandsassociaties ——-
.
JSEFile=c:\progra~1\PANDAS~2\PANDAA~1\PavScrip.exe “%1” %*
VBEFile=c:\progra~1\PANDAS~2\PANDAA~1\PavScrip.exe “%1” %*
VBSFile=c:\progra~1\PANDAS~2\PANDAA~1\PavScrip.exe “%1” %*
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 17:00:21
Windows 5.1.2600 Service Pack 3 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘winlogon.exe’(604)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avldr.dll
.
———————— Andere Aktieve Processen ————————
.
c:\windows\system32\ati2evxx.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\PsCtrlS.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
c:\program files\Panda Security\Panda Antivirus Pro 2009\PAVSRV51.EXE
c:\program files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Voltooingstijd: 2009-01-05 17:04:11 - machine werd herstart
ComboFix-quarantined-files.txt 2009-01-05 16:04:07
Pre-Run: 42.712.698.880 bytes beschikbaar
Post-Run: 42,553,704,448 bytes beschikbaar
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /fastdetect /NoExecute=OptIn
226 — E O F — 2008-12-17 21:50:51
Log HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:51, on 05-01-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\ApvxdWin.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Blokker Bestelsoftware\Agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: SOUNDMAN.EXE
O4 - HKLM\..\Run: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM\..\Run: “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM\..\Run: “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM\..\Run: “C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE” /s
O4 - HKLM\..\Run: “C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe”
O4 - HKLM\..\Run: “C:\Program Files\Blokker Bestelsoftware\Agent.exe”
O4 - HKLM\..\Run: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: “C:\Program Files\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU\..\Run: “C:\Program Files\TomTom HOME 2\HOMERunner.exe”
O4 - HKCU\..\Run: C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - http://thuis.koninginwilhelminaschool.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://thuis.koninginwilhelminaschool.net/msrdp.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
–
End of file - 9286 bytes
Ik ben benieuwd!
Groeten,
Mark.
Teaser

05-01-2009 17:33

Ziet er weer netjes uit
Ga even naar start > uitvoeren en type daar combofix /U en klik op oke
vertel even hoe het er nu voor staat
Geert

05-01-2009 18:25

Combofix /U was denk ik de uninstaller? Programmaatje is verwijderd. Verder is er niets spannends… moet ik nog een HJT log plaatsen?
Wendy

05-01-2009 18:35

Hoi hoi,
Ik heb hetzelfde op mijn pc en dit geeft de Combofix aan. Wat te doen nu?
ComboFix 09-01-05.02 - Jurgen 2009-01-05 18:28:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.1535.986
Gestart vanuit: c:\documents and settings\Jurgen\Bureaublad\ComboFix.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-12-05 to 2009-01-05 ))))))))))))))))))))))))))))))
.
2009-01-05 16:16 . 2009-01-05 17:43 dr-h—– c:\documents and settings\Jurgen\Onlangs geopend
2009-01-05 16:00 . 2009-01-05 16:00 d——– c:\documents and settings\All Users\Application Data\203252215
2009-01-05 11:56 . 2009-01-05 15:51 dr-h—– c:\documents and settings\Wendy\Onlangs geopend
2008-12-31 17:21 . 2008-12-31 17:21 664 –a—— c:\windows\system32\d3d9caps.dat
2008-12-31 15:08 . 2008-12-31 15:28 8 –a—— c:\windows\system32\nvModes.dat
2008-12-31 14:44 . 2008-12-31 14:44 489 –a—— c:\windows\system\Cmicnfg.ini
2008-12-29 20:25 . 2009-01-05 16:06 d——– c:\program files\C3Basic
2008-12-29 20:25 . 2003-04-18 16:29 44,544 –a—— c:\windows\system32\msxml4a.dll
2008-12-29 20:06 . 2008-12-29 20:06 112,221 –a—— C:\clubdjpro.mp3
2008-12-29 11:24 . 2008-12-29 11:24 244 –ah—– C:\sqmnoopt06.sqm
2008-12-29 11:24 . 2008-12-29 11:24 232 –ah—– C:\sqmdata06.sqm
2008-12-21 17:07 . 2008-12-21 17:53 d——– c:\documents and settings\Jurgen\Application Data\Mp3tag
2008-12-21 16:34 . 2008-12-21 16:56 d——– c:\program files\MP3Gain
2008-12-21 16:04 . 2008-12-21 16:04 d——– c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-21 15:43 . 2008-12-21 15:43 d——– c:\documents and settings\All Users\Application Data\NVIDIA
2008-12-17 11:43 . 2008-12-17 11:43 dr——- c:\documents and settings\LocalService\Mijn documenten
2008-12-16 19:11 . 2008-12-16 19:11 d——– c:\program files\Alcohol Soft
2008-12-16 19:11 . 2004-04-30 09:37 160,640 –a—— c:\windows\system32\drivers\a347bus.sys
2008-12-16 19:11 . 2004-04-30 09:33 5,248 –a—— c:\windows\system32\drivers\a347scsi.sys
2008-12-16 18:57 . 2008-12-16 18:57 245,760 ——— c:\windows\Setup1.exe
2008-12-16 18:57 . 2008-12-16 18:57 73,216 –a—— c:\windows\ST6UNST.EXE
2008-12-16 18:53 . 2008-12-16 18:53 d——– c:\program files\Amazon DVD Shrinker
2008-12-16 18:52 . 2008-12-16 18:52 d——– c:\program files\Mp3tag
2008-12-15 22:06 . 2008-12-15 22:06 d——– c:\documents and settings\Jurgen\Application Data\PC Suite
2008-12-15 20:49 . 2008-12-15 20:49 d——– c:\program files\GrabIt
2008-12-15 18:03 . 2008-12-15 18:04 d——– c:\documents and settings\Wendy\Application Data\PC Suite
2008-12-15 18:03 . 2008-12-15 18:04 d——– c:\documents and settings\Wendy\Application Data\Nokia
2008-12-15 18:03 . 2008-12-15 18:04 d——– c:\documents and settings\All Users\Application Data\PC Suite
2008-12-15 18:02 . 2008-12-15 18:02 d——– c:\program files\Common Files\PCSuite
2008-12-15 18:02 . 2008-12-15 18:02 d——– c:\program files\Common Files\Nokia
2008-12-15 18:01 . 2008-12-15 18:01 d——– c:\program files\PC Connectivity Solution
2008-12-15 18:01 . 2008-12-15 18:02 d——– c:\program files\Nokia
2008-12-15 18:01 . 2008-12-15 18:01 d——– c:\program files\DIFX
2008-12-15 18:01 . 2008-05-07 07:38 90,624 –a—— c:\windows\system32\nmwcdcls.dll
2008-12-15 18:01 . 2007-09-17 15:53 21,632 –a—— c:\windows\system32\drivers\pccsmcfd.sys
2008-12-15 18:00 . 2008-12-15 18:00 d——– c:\documents and settings\All Users\Application Data\Installations
2008-12-13 14:49 . 2008-12-13 14:51 d——– c:\program files\ClubDJ Pro
2008-12-13 14:49 . 1999-03-24 00:06 1,046,288 –a—— c:\windows\system32\msjet35.dll
2008-12-13 14:49 . 1996-11-08 00:48 368,912 –a—— c:\windows\system32\vbar332.dll
2008-12-13 14:49 . 1998-06-17 23:00 89,360 –a—— c:\windows\system32\Vb5db.dll
2008-12-13 14:49 . 1997-01-12 23:00 37,136 –a—— c:\windows\system32\MSJINT35.DLL
2008-12-13 14:49 . 1996-12-02 17:44 24,336 –a—— c:\windows\system32\MSJTER35.DLL
2008-12-10 10:59 . 2008-12-10 11:05 d——– c:\program files\Yahoo!
2008-12-10 10:59 . 2008-12-10 11:00 d——– c:\program files\CCleaner
2008-12-07 18:40 . 2008-12-07 18:40 244 –ah—– C:\sqmnoopt05.sqm
2008-12-07 18:40 . 2008-12-07 18:40 232 –ah—– C:\sqmdata05.sqm
2008-12-07 18:30 . 2008-12-07 18:30 244 –ah—– C:\sqmnoopt04.sqm
2008-12-07 18:30 . 2008-12-07 18:30 232 –ah—– C:\sqmdata04.sqm
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 17:06 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 16:44 17,408 —-a-w c:\windows\system32\drivers\USBCRFT.SYS
2009-01-05 16:32 ——— d—–w c:\program files\Spyware Doctor
2008-12-31 23:48 ——— d—–w c:\documents and settings\Jurgen\Application Data\dvdcss
2008-12-30 13:53 ——— d—–w c:\documents and settings\Jurgen\Application Data\GrabIt
2008-12-18 10:09 ——— d—–w c:\program files\Java
2008-12-16 17:55 2,572 —-a-w c:\windows\WINDVDBOOTRECDOE.sys
2008-12-02 18:29 ——— d—–w c:\documents and settings\Wendy\Application Data\LimeWirePlus
2008-11-25 15:34 ——— d—–w c:\program files\LimeWire Plus
2008-11-25 15:34 ——— d—–w c:\documents and settings\Jurgen\Application Data\LimeWirePlus
2008-11-20 20:54 ——— d—–w c:\program files\Common Files\Adobe
2008-11-17 19:44 ——— d—–w c:\program files\Windows Media Connect 2
2008-11-16 15:28 ——— d—–w c:\documents and settings\Jurgen\Application Data\vlc
2008-11-14 15:41 ——— d—–w c:\program files\QWARE
2008-11-13 10:24 ——— d—–w c:\documents and settings\Wendy\Application Data\Nero
2008-11-13 08:01 ——— d—–w c:\documents and settings\Jurgen\Application Data\Nero
2008-11-13 07:55 ——— d—–w c:\program files\Common Files\Nero
2008-11-13 07:51 ——— d—–w c:\program files\Nero
2008-11-13 07:51 ——— d—–w c:\documents and settings\All Users\Application Data\Nero
2008-11-12 17:15 ——— d—–w c:\program files\VideoLAN
2008-11-11 19:52 ——— d—–w c:\program files\FTDv3.8
2008-11-10 06:42 ——— d—–w c:\program files\MSXML 4.0
2008-11-10 04:43 410,984 —-a-w c:\windows\system32\deploytk.dll
2008-11-09 10:29 ——— d—–w c:\program files\HP
2008-11-09 10:29 ——— d—–w c:\program files\Hewlett-Packard
2008-11-09 10:28 ——— d—–w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-11-09 10:21 ——— d—–w c:\program files\LimewirePlus
2008-11-09 10:07 ——— d—–w c:\documents and settings\All Users\Application Data\HP
2008-11-09 10:05 ——— d—–w c:\program files\Common Files\HP
2008-11-09 10:00 ——— d—–w c:\program files\Common Files\Hewlett-Packard
2008-11-09 09:41 ——— d—–w c:\program files\Windows Live
2008-11-09 09:36 ——— d—–w c:\program files\MSECache
2008-11-09 08:39 ——— d—–w c:\program files\Microsoft.NET
2008-11-09 08:39 ——— d—–w c:\program files\Microsoft ActiveSync
2008-11-09 08:22 ——— dcsh–w c:\program files\Common Files\WindowsLiveInstaller
2008-11-09 08:19 ——— d—–w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-09 08:04 ——— d–h–w c:\program files\InstallShield Installation Information
2008-11-09 07:58 19,915 —-a-w c:\windows\system32\drivers\AegisP.sys
2008-11-09 07:57 ——— d—–w c:\documents and settings\All Users\Application Data\Bluetooth
2008-11-09 07:55 ——— d—–w c:\program files\USB Wireless Keyboard Driver
2008-11-09 07:52 ——— d—–w c:\program files\IVT Corporation
2008-11-09 07:40 938,200 —-a-w c:\program files\chpintel_inf7x.exe
2008-11-09 07:39 26,664,064 —-a-w c:\program files\bt_ms6869winxp.exe
2008-11-08 22:04 ——— d—–w c:\program files\Common Files\PC Tools
2008-11-08 22:04 ——— d—–w c:\documents and settings\All Users\Application Data\PC Tools
2008-11-08 22:03 160,792 —-a-w c:\windows\system32\drivers\pctfw2.sys
2008-11-08 21:57 ——— d—–w c:\documents and settings\Jurgen\Application Data\PC Tools
2008-11-08 21:51 ——— d—–w c:\program files\X10 Hardware
2008-11-08 21:51 ——— d—–w c:\program files\Common Files\X10
2008-11-08 21:50 ——— d—–w c:\program files\Intel
2008-11-08 21:39 ——— d—–w c:\program files\RALINK
2008-11-08 21:39 ——— d—–w c:\program files\Common Files\InstallShield
2008-11-08 21:34 ——— d—–w c:\program files\microsoft frontpage
2008-10-23 12:43 286,720 —-a-w c:\windows\system32\gdi32.dll
2008-10-16 20:33 826,368 —-a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 —-a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 —-a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 —-a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 —-a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 —-a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 —-a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 —-a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 —-a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 —-a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 —-a-w c:\windows\system32\muweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe”
“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe”
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll”
“ISTray”=“c:\program files\Spyware Doctor\pctsTray.exe”
“HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe”
“NeroFilterCheck”=“c:\program files\Common Files\Nero\Lib\NeroCheck.exe”
“NBKeyScan”=“c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
“LWBMOUSE”=“c:\program files\QWARE\Wheel Mouse\Ver.5.3\MOUSE32A.EXE”
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe”
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll”
“1932103512”=“c:\documents and settings\All Users\Application Data\203252215\1932103512.exe”
“Dit”=“Dit.exe”
“nwiz”=“nwiz.exe”
“Snelkoppeling naar eigenschappenvenster voor High Definition Audio”=“HDAudPropShortcut.exe”
“CHotkey”=“mHotkey.exe”
“ledpointer”=“CNYHKey.exe”
“AGRSMMSG”=“AGRSMMSG.exe”
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE”
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
Ralink Wireless Utility.lnk - c:\program files\RALINK\RT2500 USB Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
Snelstart HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe
“%windir%\\system32\\sessmgr.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe”=
“c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Program Files\\Windows Live\\Messenger\\livecall.exe”=
“c:\\Program Files\\LimeWire Plus\\LimeWire.exe”=
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys
R3 UKBFLT;UKBFLT;c:\windows\system32\drivers\UKBFLT.sys
R3 wbscr;Winbond Smartcard Reader for I/O;c:\windows\system32\drivers\wbscr.sys
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS
— Other Services/Drivers In Memory —
*Deregistered* - mchInjDrv
.
Inhoud van de ‘Gedeelde Taken’ map
2009-01-05 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
.
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://www.google.nl/
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 18:30:57
Windows 5.1.2600 Service Pack 3 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘winlogon.exe’(960)
c:\windows\system32\gpkcsp.dll
c:\windows\system32\gpkrsrc.dll
- - - - - - - > ‘winlogon.exe’(2028)
c:\windows\system32\gpkcsp.dll
c:\windows\system32\gpkrsrc.dll
- - - - - - - > ‘lsass.exe’(1016)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Voltooingstijd: 2009-01-05 18:32:26
ComboFix-quarantined-files.txt 2009-01-05 17:32:17
ComboFix2.txt 2009-01-05 17:22:39
Pre-Run: 44.477.919.232 bytes beschikbaar
Post-Run: 44,423,958,528 bytes beschikbaar
207 — E O F — 2008-12-18 10:10:18
Teaser

05-01-2009 18:47

Nee als alles goed is is dat niet nodig
Teaser

05-01-2009 18:48

Wendy maak je even een eigen topic.
En loop dan alle stappen even door die in het eerste bericht hier op de pagina staat
Hilg

05-02-2009 20:59

Heb precies het zelfde probleem en ook hetzelfde gedaan als Geert. Nu is mijn combofix dus weer verwijderd en dan?? Please help!
Teaser

05-02-2009 21:10

Wil je even je eigen topic beginnen.
En dan graag de eerst link op deze pagina uitvoeren.

System security - virus?

Geert

Teaser

Geert

Teaser

Geert

Wendy

Teaser

Teaser

Hilg

Teaser