[Centraal] Spy-, adware & virussen [4] - Pagina 8

M@rco · **17-09-2006, 11:04**

Dat ziet er ook niet best uit.

Probeer eerst eens de stappen onder 'zelf verwijderen' in de startpost te doorlopen; dat zou de meeste problemen wel op moeten lossen. Verder zou ik je ook echt aanraden om Service Pack 2 te installeren; een kale XP-installatie is echt veel en veel gevoeliger voor dit soort dingen.

polichinelle · **17-09-2006, 11:39**

Dat stukje wat onder 'zelf verwijderen staat' heb ik al uitgevoerd maar dat krijgt het niet weg.

freyk · **17-09-2006, 11:48**

Het enige wat polichinelle hoeft te doen is

op ctrl-alt-del -> processen -> en daar nwnmff_e6.exe, dfndrff_e6.exe, kybrdff_e6.exe, host en lsys stoppen
deze bestanden verwijderen: deze computer -> c-schijf, daar verwijder je nwnmff_e6.exe, dfndrff_e6.exe, kybrdff_e6.exe.
en dan nog ff naar start -> uitvoeren -> services.msc
Zoek "windows update" & "Windows Reg Service" en stop ze door met de rechtermuisknop erop te klikken-> stoppen.
Ga terug naar deze computer -> c-schijf -> mapje windows en klik dan op mapje system32 en verwijder daar host en lsys.

Elite! · **17-09-2006, 18:50**

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

Als je deze zelf niet als homepage gekozen hebt of wat dan ook kan je um verwijderen want dit hoeft niet te kloppen

Elite! · **22-09-2006, 07:04**

Ik had laatst een spyware aanval (door zogenaamd grappig proggie van vriend) en als laatste check zou ik graag willen dat jullie mijn hijackthis log bekijken. Alvast bedankt.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:26, on 22-9-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Voetbal International\WatchDog.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{1CF209BF-0B6E-1043-0124-05040802001f}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.casema.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...www.pagina.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Casema
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WatchDogExe] C:\Program Files\Voetbal International\WatchDog.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.casema.net/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134232756031
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

freyk · **22-09-2006, 07:46**

Citaat:

The Dosh schreef op 22-09-2006 @ 08:04 :
Ik had laatst een spyware aanval (door zogenaamd grappig proggie van vriend)

Nou, leuke vriend heb jij

Hoe beschrijf je een spyware aanval?
Ik zie in iedergeval geen nare dingen in je log.

Elite! · **22-09-2006, 08:38**

Citaat:

freyk schreef op 22-09-2006 @ 08:46 :
Nou, leuke vriend heb jij
Hoe beschrijf je een spyware aanval?
Ik zie in iedergeval geen nare dingen in je log.

Ik zie een spyware aanval in de vorm van dat ik een programma downloade en als je die download voert hij zichzelf automatisch uit. Hij maakt pop-up, toolbars en instaleert errorscan en deluxe iets. Gokzooi en dergelijke in favorieten en porn uiteraard

dan instaleert hij ook nog eens trojan horse downloaders. Door al dit begon microsoft defender en avg helemaal te trippen natuurlijk want alles vroeg nogal veel cpu waardoor alles trager ging. 1 grote chaos

maar kheb het weer onder controle

bedankt dat je me logje ff bekeek

Ske* · **23-09-2006, 15:59**

Nadat mijn broer iets aangeklikt had op zijn msn venster, krijg ik nu voortdurend (zoiets van 1x minuut) een nieuw venster met reclame. Ik heb Hitman Pro laten lopen maar er is geen veranderen. Wat nu?

Ske* · **23-09-2006, 16:05**

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\U2ltb24\command.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\nwnmff_e12.exe
C:\kybrdff_e12.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Simon\LOCALS~1\Temp\Rar$EX00.984\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e12.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tommeke9921.spaces.msn.com//P...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1137777305917
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\nkshrui.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\n4r2le9o1h.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\mv28l9fu1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2ltb24\command.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Ske* · **23-09-2006, 16:17**

kan het zijn dat ik o.a.

C:\nwnmff_e12.exe
C:\kybrdff_e12.exe

moet verwijderen?

freyk · **23-09-2006, 19:18**

O.a wel ja.
Zie ook ff mijn antwoord in msn virus

Elite! · **24-09-2006, 14:29**

Ik heb een paar bestanden waar ik graag van zou willen weten of ze er horen of niet (ze staan in processen lijst). Ik zoek ook zelf maar soms vind ik het gewoon niet.

update.exe
CTSVCCDA.EXE

De info die ik vind zegt het kan wel of geen spyware zijn dus kga niet verwijderen tot ik manier weet om daarachter te komen.

freyk · **24-09-2006, 15:43**

Tip: gebruik "bestandnaam.extensie" als zoekwoord voor google.

Met CTSVCCDA.EXE, vind je dan iets.
Bij update.exe is altijd de locatie van dit bestand belangrijk.

Elite! · **24-09-2006, 16:45**

Citaat:

freyk schreef op 24-09-2006 @ 16:43 :
Tip: gebruik "bestandnaam.extensie" als zoekwoord voor google.

Met CTSVCCDA.EXE, vind je dan iets.
Bij update.exe is altijd de locatie van dit bestand belangrijk.

Update hoort ckr in system32 ergens of zo?

Ske* · **24-09-2006, 20:42**

jah m@rco ik nog s :
deze file

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2ltb24\command.exe

vink ik aan en doe ik scan en fix en blijft dan toch nog tussen de lijst zitten

M@rco · **24-09-2006, 20:54**

Ga eens naar Start, Configuratiescherm, Software. Misschien staat er "Command" in de lijst.

Anders zul je handmatig de service moeten verwijderen: Start > Uitvoeren > services.msc. Dan op zoek naar de command service, die stoppen en zorgen dat 'ie niet meer opstart, en dan nog verwijderen via Windows Verkenner.

freyk · **25-09-2006, 08:19**

Sommige services laten zich zo moeilijk stoppen.
Wat je ook kan doen is je computer laten opstarten buiten het windows omgeving en dan bestanden verwijderen.

Citaat:

The Dosh schreef op 24-09-2006 @ 17:45 :
Update hoort ckr in system32 ergens of zo?

Zover ik het weet niet.

juisterr · **25-09-2006, 09:51**

Citaat:

freyk schreef op 25-09-2006 @ 09:19 :
Sommige services laten zich zo moeilijk stoppen.
Wat je ook kan doen is je computer laten opstarten buiten het windows omgeving en dan bestanden verwijderen.

Zover ik het weet niet.

Start HJT opnieuw en vink ondestaande regel aan, sluit alle vensters en klik op fix checked.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2ltb24\command.exe

Kopieer onderstaande vetgedrukte tekst in kladblok:

cd..
cd..
sc stop cmdService
sc delete cmdService

Sla het op op je bureaublad als sc.bat met als type "alle bestanden"
Dubbelklik sc.bat.

Herstart je pc.

juisterr · **25-09-2006, 09:57**

aan SKE*

Je bent zeker nog niet schoon.

Download Combofix naar je Bureaublad.

Dubbelklik Combofix.exe
Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

Ske* · **25-09-2006, 17:54**

voila hier ComboFix.txt

- 06-09-25 18:48:52,04 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\WINDOWS\system32"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{50227552-B922-402A-95D1-5B161BE36271}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{50227552-B922-402A-95D1-5B161BE36271}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50227552-B922-402A-95D1-5B161BE36271}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{50227552-B922-402A-95D1-5B161BE36271}\InprocServer32]
@="C:\\WINDOWS\\system32\\miiole32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{33610378-9D98-409A-8773-63E006B69EA5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33610378-9D98-409A-8773-63E006B69EA5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33610378-9D98-409A-8773-63E006B69EA5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{33610378-9D98-409A-8773-63E006B69EA5}\InprocServer32]
@="C:\\WINDOWS\\system32\\sidoclc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{942B624D-54EA-4B85-965C-A47EE103E67B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{942B624D-54EA-4B85-965C-A47EE103E67B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{942B624D-54EA-4B85-965C-A47EE103E67B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{942B624D-54EA-4B85-965C-A47EE103E67B}\InprocServer32]
@="C:\\WINDOWS\\system32\\jsmd400.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C616D0FD-C9DB-4B16-B363-A71E40A60D5A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C616D0FD-C9DB-4B16-B363-A71E40A60D5A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C616D0FD-C9DB-4B16-B363-A71E40A60D5A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C616D0FD-C9DB-4B16-B363-A71E40A60D5A}\InprocServer32]
@="C:\\WINDOWS\\system32\\sncfiles.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E1B9BBFB-0FC2-46C1-BC0E-2E72FD684605}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{E1B9BBFB-0FC2-46C1-BC0E-2E72FD684605}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1B9BBFB-0FC2-46C1-BC0E-2E72FD684605}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E1B9BBFB-0FC2-46C1-BC0E-2E72FD684605}\InprocServer32]
@="C:\\WINDOWS\\system32\\aydiosrv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{73CE3AE7-EDDF-491F-BB43-0D77C1DFDCB2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73CE3AE7-EDDF-491F-BB43-0D77C1DFDCB2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73CE3AE7-EDDF-491F-BB43-0D77C1DFDCB2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73CE3AE7-EDDF-491F-BB43-0D77C1DFDCB2}\InprocServer32]
@="C:\\WINDOWS\\system32\\syrrnnl.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CF041B26-C64A-40EE-A305-2853000748DB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF041B26-C64A-40EE-A305-2853000748DB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF041B26-C64A-40EE-A305-2853000748DB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF041B26-C64A-40EE-A305-2853000748DB}\InprocServer32]
@="C:\\WINDOWS\\system32\\dmvvox.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{5340FE7C-D2B4-4B3D-82BD-D2BAB233FB26}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5340FE7C-D2B4-4B3D-82BD-D2BAB233FB26}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5340FE7C-D2B4-4B3D-82BD-D2BAB233FB26}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5340FE7C-D2B4-4B3D-82BD-D2BAB233FB26}\InprocServer32]
@="C:\\WINDOWS\\system32\\cbbjmon.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{7A171BAF-43C0-4729-A922-695F7BCFFC9A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7A171BAF-43C0-4729-A922-695F7BCFFC9A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7A171BAF-43C0-4729-A922-695F7BCFFC9A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7A171BAF-43C0-4729-A922-695F7BCFFC9A}\InprocServer32]
@="C:\\WINDOWS\\system32\\nomsapi.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{3CD9DFA6-020A-4A28-B447-CDAFF9A1C9BC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3CD9DFA6-020A-4A28-B447-CDAFF9A1C9BC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3CD9DFA6-020A-4A28-B447-CDAFF9A1C9BC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3CD9DFA6-020A-4A28-B447-CDAFF9A1C9BC}\InprocServer32]
@="C:\\WINDOWS\\system32\\cjtdll.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BB7ED971-DD80-466C-B3D0-5E119C714387}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB7ED971-DD80-466C-B3D0-5E119C714387}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB7ED971-DD80-466C-B3D0-5E119C714387}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BB7ED971-DD80-466C-B3D0-5E119C714387}\InprocServer32]
@="C:\\WINDOWS\\system32\\sdnscfg.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{5F19E91F-F731-4BF7-A755-6927142864A9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5F19E91F-F731-4BF7-A755-6927142864A9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5F19E91F-F731-4BF7-A755-6927142864A9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5F19E91F-F731-4BF7-A755-6927142864A9}\InprocServer32]
@="C:\\WINDOWS\\system32\\mptext40.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CA47FA47-155E-4208-BF74-CF7178B3D06F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA47FA47-155E-4208-BF74-CF7178B3D06F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA47FA47-155E-4208-BF74-CF7178B3D06F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CA47FA47-155E-4208-BF74-CF7178B3D06F}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\system32\ncevtmsg.dll
C:\WINDOWS\system32\sidoclc.dll
C:\WINDOWS\system32\nomsapi.dll
C:\WINDOWS\system32\jsmd400.dll
C:\WINDOWS\system32\dmvvox.dll
C:\WINDOWS\system32\cbbjmon.dll
C:\WINDOWS\system32\cjtdll.dll
C:\WINDOWS\system32\sdnscfg.dll
C:\WINDOWS\system32\mdi.dll
C:\WINDOWS\system32\lv32.dll
C:\WINDOWS\system32\mptext40.dll
C:\WINDOWS\system32\syrrnnl.dll
C:\WINDOWS\system32\l88mlil118q.dll
C:\WINDOWS\system32\l8p2li7o18.dll
C:\WINDOWS\system32\i6lolg3316.dll
C:\WINDOWS\system32\t0r8la9u1d.dll
C:\WINDOWS\system32\jt2007fme.dll
C:\WINDOWS\system32\h6j4lg1q16.dll
C:\WINDOWS\system32\rEschap.dll
C:\WINDOWS\system32\f02mlaf11d2.dll
C:\WINDOWS\system32\guard.tmp

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Simon\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Simon\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Thomas\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Thomas\Application Data\Dxccwrd.dll
C:\Documents and Settings\Thomas\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Kaat\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\teller2.chk
C:\deskbar.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\Program Files\Common Files\{205919EF-07CF-1043-0909-050411050020}
C:\WINDOWS\U2ltb24

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))

2006-09-22 18:22 236,080 -r--s---- C:\WINDOWS\system32\sncfiles.dll
2006-09-21 20:10 138,862 --a------ C:\WINDOWS\alfa.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-23 17:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-09-23 10:51 -------- d-------- C:\Documents and Settings\Simon\Application Data\Google
2006-09-22 19:44 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-08-21 14:28 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-05 15:40 -------- d-------- C:\Documents and Settings\Simon\Application Data\Lavasoft
2006-08-05 15:16 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-05 15:15 -------- d-------- C:\Program Files\Webroot
2006-08-05 15:13 -------- d-------- C:\Program Files\Lavasoft
2006-08-05 15:12 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-05 15:10 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-08-05 15:10 270336 --a------ C:\WINDOWS\system32\imon.dll
2006-08-05 15:10 -------- d-------- C:\Program Files\ESET
2006-08-05 14:14 -------- d-------- C:\Program Files\Hitman Pro
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,0 0,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,0 0,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,0 0,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServ iceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Reader Snelle start.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Snelle start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Snelle start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Valve\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Mon 25/09/2006 18:52:15.43
ComboFix.txt

Ske* · **25-09-2006, 17:54**

Hier mijn Logs

Logfile of HijackThis v1.99.1
Scan saved at 18:54:13, on 25/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Simon\LOCALS~1\Temp\Rar$EX00.047\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tommeke9921.spaces.msn.com//P...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1137777305917
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

juisterr · **25-09-2006, 18:19**

zo dat moet vast al schelen, zie je de "deleted" files wow.

Nog een beetje poetsen.

Download Dr.Web CureIt naar je Bureaublad:

Dubbelklik drweb-cureit.exe Klik op udate
Na de update verschijnt er een nieuw icoontje op je buroblad "CureIt.exe" dubbelklik het en klik op Scan, sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt,
klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de groene pijl rechts om de scan te starten.
Klik Yes to all wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan beëindigd is, kijk of je kunt op het icoontje naast de gevonden bestanden klikken:
Indien ja,klik er op en klik vervolgens op het icoontje er juist onder en selecteer Move incurable zoals je hier ziet:

Dit verplaatst gevonden bestanden naar de "%userprofile%\DoctorWeb\quarantaine-map" indien herstel niet mogelijk is.
Nadat de scan gedaan is, in het menu bovenaan, klik File en kies Save report List. Bewaar het op je Bureaublad.
Sluit daarna Dr.Web Cureit.
Herstart je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

Negeer popups over Buy of 50% korting

vervolgens.
Download ATF cleaner (by Atribune)

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Gebruik je ook Firefox als browser:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit verwijdert het vinkje bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Gebruik je ook Opera als browser:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Start opieuw op en doe nogmaals een scan met de combofix aub.

Geef in je volgende post aub een
1) logje van dr.web
2) logje van combo fix
3) logje van HJT

vertel ook gelijk of je problemen ook over zijn.

Juisterr

Ske* · **26-09-2006, 17:42**

DR. Web

sncfiles.dll C:\WINDOWS\system32 Adware.Look2me
i14.tmp C:\Documents and Settings\Thomas\Local Settings\Temp Adware.Surfside
DXC1205b[1].exe C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\QJY5IR0P Adware.Surfside
kybrdff_e[2].exe C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\EJ5MZQ3D Adware.DollarRevenue
drsmartload1135a[1].exe C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\8JVX1BJ0 Adware.DollarRevenue
loader[1].exe C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\G5805MNV Trojan.DownLoader.13015 Deleted.
drsmartload45a[1].exe C:\Documents and Settings\Thomas\Local Settings\Temporary Internet Files\Content.IE5\6LLU3ILS Adware.DollarRevenue
cmdinst.exe C:\Documents and Settings\Kaat\Local Settings\Temp Trojan.Proxy.493 Incurable.Moved.
drsmartload45a[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\9JR03764 Adware.DollarRevenue
loader[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\8LSBODQ3 Trojan.DownLoader.13015 Deleted.
kybrdff_e[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\W9234L6F Adware.DollarRevenue
Installer[2].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\W9234L6F Adware.Look2me
MTE3NDI6ODoxNg[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\OGQI1KUV Trojan.DownLoader.5013 Deleted.
ucmoreiex[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\OGQI1KUV Adware.Ucmore
installer[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\OGQI1KUV Trojan.Proxy.493 Incurable.Moved.
nwnmff_e[1].exe C:\Documents and Settings\Kaat\Local Settings\Temporary Internet Files\Content.IE5\OGQI1KUV Adware.DollarRevenue
VBAOL11.CHM\html/olobjAddressEntries.htm C:\Program Files\Microsoft Office\OFFICE11\1043\VBAOL11.CHM Modification of VBS.Petik
VBAOL11.CHM C:\Program Files\Microsoft Office\OFFICE11\1043 Archive contains infected objects Moved.
FND0.NFI C:\Program Files\ESET\cache Adware.Surfside
A0024985.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP87 Adware.SaveNow
A0025171.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP88 Adware.SaveNow
A0036005.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036020.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036023.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036043.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.DownLoader.13015 Deleted.
A0036075.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Ucmore
A0036076.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Ucmore
A0036077.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.FastSearch
A0036081.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036082.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036083.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.DownLoader.5013 Deleted.
A0036084.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036085.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Ucmore
A0036086.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.DownLoader.5013 Deleted.
A0036087.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036094.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036095.EXE C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.Proxy.493 Deleted.
A0036096.EXE C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.DnsChange Deleted.
A0036097.DLL C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.Proxy.493 Deleted.
A0036117.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Look2me
A0036155.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Adware.Softomate
A0036158.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP111 Trojan.DownLoader.13015 Deleted.
A0036170.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP112 Adware.Look2me
A0036184.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP112 Probably MULDROP.Trojan
A0036185.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP112 Adware.Look2me
A0036200.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP112 Adware.Look2me
A0036214.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.Look2me
A0036235.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036238.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036239.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036240.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036241.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Trojan.DownLoader.13015 Deleted.
A0036242.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036243.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036244.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036245.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.Surfside
A0036251.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Trojan.DownLoader.5013 Deleted.
A0036252.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Trojan.DownLoader.5013 Deleted.
A0036255.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.DollarRevenue
A0036260.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.Ucmore
A0036261.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.Ucmore
A0036273.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP113 Adware.Look2me
A0036330.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP115 Adware.Softomate
A0036395.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Surfside
A0036396.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Surfside
A0036397.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Surfside
A0036398.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Surfside
A0036438.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037437.DLL C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037448.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037476.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037496.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037504.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037505.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Ucmore
A0037506.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037510.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0037518.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038527.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038535.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038563.exe C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Trojan.DnsChange Deleted.
A0038618.DLL C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Trojan.Proxy.493 Deleted.
A0038619.EXE C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Trojan.Proxy.493 Deleted.
A0038620.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038621.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038622.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038623.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038624.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038625.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038626.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038627.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038628.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038629.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038630.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038631.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038632.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038633.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038634.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038635.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038636.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038637.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me
A0038638.dll C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP116 Adware.Look2me

juisterr · **26-09-2006, 18:14**

Hai ske,

Download VundoFix.exe naar je bureaublad.

Dubbelklik VundoFix.exe om het te starten.
Klik op de Scan for Vundo knop.
Eenmaal gedaan met scannen, klik op de Remove Vundo knop.
Je zal een melding krijgen of je de bestanden wilt laten verwijderen, klik YES
Nadat je Yes hebt geklikt, zullen de icoontjes op je Bureaublad verdwijnen tijdens het verwijderen van Vundo.
Wanneer voltooid zal je de melding krijgen dat het je PC zal afsluiten, klik OK.
Start je pc terug opnieuw op.
Post de inhoud van C:\vundofix.txt en een nieuwe hijackthislog in je volgende post.

Nota: Het is mogelijk dat VundoFix een bestand vindt dat niet kan verwijderd worden.
In dit geval zal VundoFix na het heropstarten van je pc nog eens opstarten. Dan moet je de instructies van hierboven nog eens uitvoeren vanaf: "Klik op Scan for Vundo."

Download ATF cleaner (by Atribune)

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Gebruik je ook Firefox als browser:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit verwijdert het vinkje bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Gebruik je ook Opera als browser:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

- Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
- Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".
- Zet een vinkje voor "Systeemherstel uitschakelen".
- Klik "Toepassen".
- Windows vraagt of je dat zeker weet.
- Klik "Ja".
- Klik "OK".
- Start de pc opnieuw op.
- Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
- Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"
- Klik "Ja".
- Verwijder het vinkje voor "Systeemherstel uitschakelen".
- Klik "Toepassen".
- Klik "OK".

plaats weer een nieuw HJT logje ter controle en vertel of je probleem nu over is.
Succes.

D@mien · **26-09-2006, 19:07**

het volgende is in opvolging van deze post op de vorige pagina (http://forum.scholieren.com/showthre...1#post22666551) :

Ik heb met veel pijn en moeite het grootste deel van de spyware en virussen van de computer afgekregen en ik heb een hijackthis log kunnen maken. Ik kan er niets raars aan zien, maar er zit nogsteeds iets van spyware of een virus op.. ik post hier het logje ff zodat jullie er ff naar kunnen kijken.

Logfile of HijackThis v1.99.1
Scan saved at 17:11:14, on 6-9-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Berkel\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Protection Bar - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CIO] c:\progra~1\chatit~1\che7e1~1.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab
O16 - DPF: {BB87C3EA-AFC2-401F-84E8-0C166F2B0DA3} (OggPlayer Class) - http://www.one2one.com/static/class/WMOggPlayer.cab
O18 - Protocol: bw+0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {BEAADA7F-0BCD-426C-AFC2-3F56F9DB0237} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: imputable - {6570b782-1a41-4053-b2c9-12c7fcf0d84d} - C:\WINDOWS\system32\duxzj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

freyk · **26-09-2006, 19:35**

Ik zou nog ff het volgende fixen en verwijderen:
O21 - SSODL: imputable - {6570b782-1a41-4053-b2c9-12c7fcf0d84d} - C:\WINDOWS\system32\duxzj.dll

Ske* · **26-09-2006, 20:53**

Logfile of HijackThis v1.99.1
Scan saved at 21:52:50, on 26/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Simon\LOCALS~1\Temp\Rar$EX00.313\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tommeke9921.spaces.msn.com//P...d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1137777305917
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

juisterr · **26-09-2006, 21:26**

Ziet er goed uit ske*
problemen ook over?

juisterr · **26-09-2006, 21:31**

Citaat:

freyk schreef op 26-09-2006 @ 20:35 :
Ik zou nog ff het volgende fixen en verwijderen:
O21 - SSODL: imputable - {6570b782-1a41-4053-b2c9-12c7fcf0d84d} - C:\WINDOWS\system32\duxzj.dll

absoluut, maar er zit nog meer in.

Damien

Download Combofix naar je Bureaublad.

Dubbelklik Combofix.exe
Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

Ske* · **27-09-2006, 06:23**

Simon - 06-09-27 7:08:20,68 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Simon\Bureaublad"

((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))

2006-09-22 18:22 236,080 -r--s---- C:\WINDOWS\system32\sncfiles.dll
2006-09-21 20:10 138,862 --a------ C:\WINDOWS\alfa.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-23 17:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-09-23 10:51 -------- d-------- C:\Documents and Settings\Simon\Application Data\Google
2006-09-22 19:44 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-08-21 14:28 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-05 15:40 -------- d-------- C:\Documents and Settings\Simon\Application Data\Lavasoft
2006-08-05 15:16 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-05 15:15 -------- d-------- C:\Program Files\Webroot
2006-08-05 15:13 -------- d-------- C:\Program Files\Lavasoft
2006-08-05 15:12 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-05 15:10 502368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-08-05 15:10 270336 --a------ C:\WINDOWS\system32\imon.dll
2006-08-05 15:10 -------- d-------- C:\Program Files\ESET
2006-08-05 14:14 -------- d-------- C:\Program Files\Hitman Pro
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,0 0,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,0 0,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,0 0,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServ iceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Reader Snelle start.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Snelle start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Snelle start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Valve\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Wed 27/09/2006 7:09:02.57
ComboFix2.txt
ComboFix.txt

Ske* · **27-09-2006, 06:24**

Nu eens een persoonlijk berichtje hé

Ik ben echt heel tevreden! Nu al 3 dagen geen last meer, en mijn pc heeft nog nooit zo vlot gedraaid. Hij start in een minimumtijd op enzo.

Echt bedankt Juisterr!

polichinelle · **27-09-2006, 09:13**

Eh ja, alles wat ik de vorige keer moest doen werkt niet want het komt meteen weer terug en mn pc draait nu ook veel trager

Logfile of HijackThis v1.99.1
Scan saved at 10:12:10, on 27-9-2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TmF0aGFsaWUgRWVuaG9vcm4\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\lsyss.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\host.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\nwnmff_e16.exe
c:\dfndrff_e16.exe
c:\kybrdff_e16.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Last.fm\LastFM.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nathalie Eenhoorn\Local Settings\Temp\Tijdelijke map 4 voor hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Windows Update] host.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e16.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e16.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e16.exe
O4 - HKLM\..\RunServices: [Windows Update] host.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158409802142
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kodindev.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\khdhe220.dll
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\khdhe220.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmF0aGFsaWUgRWVuaG9vcm4\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Reg Service - Unknown owner - C:\WINDOWS\system32\lsyss.exe

~SmG~ · **27-09-2006, 10:45**

Mijn computer doet steeds vreemd, ik denk dat ik een virus heb. Maar ik heb er helemaal geen verstand, zou iemand kunnen kijken of hier iets vreemds tussen staat.
Alvast heel erg bedankt!

Logfile of HijackThis v1.99.1
Scan saved at 11:43:08, on 27-9-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\icpldrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Manager for Skype\ManagerForSkype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\SCHIEV~1\LOCALS~1\Temp\Tijdelijke map 3 voor hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Manager for Skype.lnk = C:\Program Files\Manager for Skype\ManagerForSkype.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

juisterr · **27-09-2006, 18:39**

Citaat:

Ske* schreef op 27-09-2006 @ 07:24 :
Nu eens een persoonlijk berichtje hé

Ik ben echt heel tevreden! Nu al 3 dagen geen last meer, en mijn pc heeft nog nooit zo vlot gedraaid. Hij start in een minimumtijd op enzo.

Echt bedankt Juisterr!

houd hem schoon he, als je weer problemen hebt meld je je maar weer.

juisterr · **27-09-2006, 18:49**

Polichinelle

Je hebt geen enkele windows update, zelfs geen sp1 , je vraagt letterlijk om moeilijkheden, je systeem is zo lek als een mandje.
Eerst maar de rommel weg, we beginnen met de combofix.

Download Combofix naar je Bureaublad.

Dubbelklik Combofix.exe
Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

juisterr · **27-09-2006, 18:57**

antwoord aan SMG

Ga naar Configuratiescherm - Software - Programma's wijzigen of verwijderen. Deïnstalleer MSN Messenger.
(Deze is geïnfecteerd met een worm. Later, wanneer de computer clean is, kan je deze weer installeren.)
Deïnstalleer ook Command Service en Network Monitor.

Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
Unzip/pak het uit naar zijn eigen map op je C:\ (c:\BFU).
Lees hier hoe je op de juiste wijze moet unzippen/uitpakken:
http://home.planet.nl/~kleyn080/unzippenXPuitleg.html

Dubbelklik op BFU.exe om the Brute Force Uninstaller te starten.

Naast 'scriptfile to execute'-venster zal je een klein icoontje zien:

Klik op dat icoontje en een nieuw venster zal openen.
Bovenaan zie je staan: 'Please enter the full URL to the script you want to execute'
In het venster kopieer en plak je volgende url:
http://home.planet.nl/~kleyn080/alcanshorty.bfu

Klik op OK
Daarna klik je op execute in Brute Force Uninstaller.

Wacht tot je de boodschap complete script execution te zien krijgt en klik daarna op OK.
Klik exit om het programma te beeïndigen.

Download combofix.exe: http://download.bleepingcomputer.com/sUBs/combofix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt) Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

~SmG~ · **27-09-2006, 22:06**

Dit is vast een domme vraag, maar waar kan ik Network Monitor en Command Service vinden? Het staat in ieder geval niet bij software.

juisterr · **28-09-2006, 17:14**

Citaat:

~SmG~ schreef op 27-09-2006 @ 23:06 :
Dit is vast een domme vraag, maar waar kan ik Network Monitor en Command Service vinden? Het staat in ieder geval niet bij software.

zoeken met verkenner??

~SmG~ · **28-09-2006, 17:22**

Citaat:

juisterr schreef op 28-09-2006 @ 18:14 :
zoeken met verkenner??

Had ik al geprobeert, maar blijkbaar deed ik toen iets fout. Heb het nu wel gevonden en zal het verwijderen. Bedankt!

Edit: Hmm ik kan Command Service er niet vinden. Network Service wel.

freyk · **29-09-2006, 08:55**

Het blijkt dat er meer mensen op die .pif url hebben geklikt.
Er werd aangeraden om nod32 te installeren om deze griezel te desinfecteren.
Dus ~SmG~ en *ske, kijk eens of het daarmee ook kan.

juisterr · **30-09-2006, 15:25**

Serflog is wel een "msn-worm", maar is zeker niet nieuw.

Op PcHelper werd in een topic gemeld dat de bekende antivirusprogramma's de worm inmiddels ook verwijderen.

de eigenlijke msnmsgr.exe wordt gewoon hernoemt naar msn.exe of msgs.exe. Daarna wordt de slechte msnmsgr.exe gekopieert naar de MSN Messenger map. Dus de legit msnmsgr.exe wordt dus niet besmet, maar gewoon hernoemt.
Dus in principe is het niet echt nodig om MSN Messenger te deïnstalleren en te verwijderen. Gewoon de msnmsgr.exe verwijderen en MSN.exe of msgs.exe terug hernoemen naar msnmsgr.exe.

Doch, bovenstaande instructies kunnen nogal verwarrend zijn voor sommige users, dus is het simpelder om aan te raden om MSN Messenger te deïnstalleren en daarna de MSN Messenger map te verwijderen. Zo ben je er zeker van dat het weg is, in plaats van dat ze zitten te prutsen met hernoemen.

probeer de fix verder te volgen en plaats daarna een vers HJT logje aub.

NOD32 is een goeie scanner, als je ermee scant doe dat dan in veilige modus.

~SmG~ · **03-10-2006, 17:08**

Dit kreeg ik met combofix.exe:
((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))

2006-09-25 19:18 1,294,336 --a------ C:\WINDOWS\system32\icpldrvx.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-19 18:08 -------- d-------- C:\Program Files\Yahoo!
2006-09-05 19:21 -------- d-------- C:\Program Files\BitComet
2006-09-01 21:29 -------- d-------- C:\Program Files\Samsung
2006-08-21 14:28 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltMc.exe
2006-08-21 11:14 128896 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-08-15 16:34 -------- d-------- C:\Documents and Settings\schievink\Application Data\HP
2006-08-15 16:29 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-08-15 16:28 -------- d-------- C:\Program Files\Common Files\HP
2006-08-15 16:24 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-15 16:21 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-08-15 16:13 -------- d-------- C:\Program Files\HP
2006-08-15 14:08 -------- d-------- C:\Program Files\Manager for Skype
2006-08-15 13:59 -------- d-------- C:\Documents and Settings\schievink\Application Data\Skype
2006-08-13 12:45 -------- d-------- C:\Documents and Settings\schievink\Application Data\AdobeUM
2006-08-13 12:11 -------- d-------- C:\Documents and Settings\schievink\Application Data\CyberLink
2006-08-06 10:39 -------- d-------- C:\Documents and Settings\schievink\Application Data\Sun
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\\Windows\\RUNXMLPL.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.E XE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SoundMan"="SOUNDMAN.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"PCMService"="\"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe\""
"LaunchAp"="\"C:\\Program Files\\Launch Manager\\LaunchAp.exe\""
"LManager"="\"C:\\Program Files\\Launch Manager\\HotkeyApp.exe\""
"CtrlVol"="\"C:\\Program Files\\Launch Manager\\CtrlVol.exe\""
"LMgrOSD"="\"C:\\Program Files\\Launch Manager\\OSDCtrl.exe\""
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"EPM-DM"="c:\\acer\\Empowering Technology\\ePower\\epm-dm.exe"
"Acer ePower Management"="C:\\Acer\\Empowering Technology\\ePower\\Acer ePower Management.exe boot"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe"
"ADMTray.exe"="\"C:\\Acer\\Empowering Technology\\admtray.exe\""
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Avg Antivirus"="C:\\WINDOWS\\system32\\icpldrvx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optio nalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optio nalComponents\IMAIL]
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optio nalComponents\MAPI]
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optio nalComponents\MSFS]
@=""
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,0 0,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,f f,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,0 0,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServ iceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - schievink.job

Completion time: Tue 03-10-2006 18:03:49.01
ComboFix.txt

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:06:35, on 3-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\icpldrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Manager for Skype\ManagerForSkype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\SCHIEV~1\LOCALS~1\Temp\Tijdelijke map 1 voor hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Manager for Skype.lnk = C:\Program Files\Manager for Skype\ManagerForSkype.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ik kon command service niet vinden, ook niet met zoeken dus die heb ik niet verwijderd.
Juisterr bedankt voor de info.

-SoloWolf- · **03-10-2006, 17:31**

He mensen, na een lange tijd me pc schoon te hebben gehad is er toch iets fout gegaan

hier het hijack log

Citaat:

Logfile of HijackThis v1.99.1
Scan saved at 18:30:59, on 3-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iMediaCodec\isamonitor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iMediaCodec\pmsngr.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iMediaCodec\pmmon.exe
C:\Program Files\iMediaCodec\isamini.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\FAMILI~1\LOCALS~1\Temp\Rar$EX03.047\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\iMediaCodec\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VirusBurster] C:\Program Files\VirusBurster\virusburster.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157312328557
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata...PSUploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/SITE/xupload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\system32\httge.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

juisterr · **03-10-2006, 20:26**

Antwoord aan ~SmG~

Download KillBox! en pak het uit naar je bureaublad.

Selecteer de onderstaande, vetgedrukte regels, door de linker muisknop ingedrukt te houden en van links boven naar rechts beneden te bewegen (het veld wordt blauw):

2006-09-25 19:18 1,294,336 --a------ C:\WINDOWS\system32\icpldrvx.exe

Klik met je rechtermuisknop in het blauwe veld en vervolgens op kopiëren
[*] Start KillBox! door te dubbelklikken op het killbox icoontje [*] Open options in het killbox menu en selecteer auto parse [*] Open file in het killboxmenu bovenaan en kies: Paste from clipboard [*] Het vetgedrukte, dat je hebt geselecteerd en gekopiëerd, zal nu verschijnen in het veld bij
Full Path of File to Delete. (Controleer dit eventueel door te klikken op het pijltje naast dat veld)
Files die niet (meer) bestaan worden door killbox niet weergegeven [*] kies de optie ('s) Delete on reboot en unregister dll's before deleting. [*] Klik op de knop All files. [*] Klik op de rode cirkel met het wit kruisje erin. [*] Killbox! zal zeggen dat deze bestanden zullen verwijderd worden on reboot.. Klik YES [*] Wanneer Killbox! vraagt om nu te rebooten, klik je op YES. [*] Als je volgende boodschap krijgt: PendingFileRenameOperations Registry Data has been Removed by External Process!
dan zal je handmatig moeten herstarten.[/list]
Killbox zal nu je PC herstarten
Killbox zal nu je PC herstarten
Verwijder na de herstart de map C:\!Killbox
Leeg daarna de prullenbak

Zet je HJT in een eigen mapje waar het nu staat maakt hij geen goede backups.
Dus maak een map aan op je C schijf, bv. C:\HJT en unzip het programma HJT daar naar toe en werk dan vanuit die map.

Start HJT opnieuw en vink onderstaande regel aan en sluit alle vensters behalve HJT en klik op fix checked.
O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe

Verwijder via verkenner het vetgedrukte bestand.
C:\WINDOWS\system32\icpldrvx.exe

Download Dr.Web CureIt naar je Bureaublad:

Dubbelklik drweb-cureit.exe Klik op udate
Na de update verschijnt er een nieuw icoontje op je buroblad "CureIt.exe" dubbelklik het en klik op Scan, sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt,
klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de groene pijl rechts om de scan te starten.
Klik Yes to all wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan beëindigd is, kijk of je kunt op het icoontje naast de gevonden bestanden klikken:
Indien ja,klik er op en klik vervolgens op het icoontje er juist onder en selecteer Move incurable zoals je hier ziet:

Dit verplaatst gevonden bestanden naar de "%userprofile%\DoctorWeb\quarantaine-map" indien herstel niet mogelijk is.
Nadat de scan gedaan is, in het menu bovenaan, klik File en kies Save report List. Bewaar het op je Bureaublad.
Sluit daarna Dr.Web Cureit.
Herstart je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

juisterr · **03-10-2006, 20:34**

Hee -SoloWolf- was je daar weer, je hebt spyware-quake opgelopen, een smitfraud variant.

1. Download SmitfraudFix (vanS!Ri), en pak het uit op je bureaublad.

2. Print onderstaande instrukties uit of kopieer ze naar een .txt bestand.
Dit, omdat de rest van de fix in veilige modus is en je hier dus niet meer kan terugzoeken.

3. Start op in Veilige modus

4. Open de map smitfraudfix en dubbelklik op smitfraudfix.cmd

* Kies optie #2 - Clean door2 te typen, en druk op "Enter" om de
geïnfecteerde bestanden te verwijderen.

Je zal een vraag krijgen: ""Registry cleaning - Do you want to clean the registry ?"
* Antwoord "yes" door y te typen en druk op "Enter".
(Als je pc daarna niet herstart, start hem dan handmatig terug op in normale modus)

Het tooltje zal nu onderzoeken of wininet.dll geïnfecteerd is. Je kan dus de vraag krijgen of je
het geïnfecteerde bestandje wil vervangen.
*Antwoord dan "yes" door y te typen en druk op "Enter".

Het kan zijn dat het tooltje je pc opnieuw laat opstarten om zijn werk te kunnen afmaken.
* Als dat niet zo is, start je pc dan handmatig opnieuw op in normale modus.

Er zal een tekstbestandje openen met de resultaten van de fix.

5. Post de inhoud van dit bestandje in je volgende antwoord,
samen met een Hijackthis-logje.
(Je kan het rapport ook vinden in c:\rapport.txt)

vervolgens.

Download Combofix naar je Bureaublad.

Dubbelklik Combofix.exe
Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

Elite! · **04-10-2006, 10:10**

Sinds er vlakbij ons huis bliksem insloeg heb ik problemen met me rauter. Als 2 comps aanstaan met internet heeft hij opeens een ip conflict

iemand een idee wat ik hier aan moet doen?

-SoloWolf- · **04-10-2006, 21:15**

SFF report

Citaat:

SmitFraudFix v2.104

Scan done at 22:03:26,09, wo 04-10-2006
Run from C:\Documents and Settings\Familia Pitoy\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"="horologium"

[HKEY_CLASSES_ROOT\CLSID\{7be183d2-a42d-4915-bf60-ec86fbf002cf}\InProcServer32]
@="C:\WINDOWS\system32\httge.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7be183d2-a42d-4915-bf60-ec86fbf002cf}\InProcServer32]
@="C:\WINDOWS\system32\httge.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\httge.dll -> Hoax.Win32.Renos.gen.e
C:\WINDOWS\system32\httge.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\FAMILI~1\MENUST~1\VirusBurster 6.2.lnk Deleted
C:\DOCUME~1\FAMILI~1\MENUST~1\PROGRA~1\VirusBurster Deleted
C:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url Deleted
C:\Program Files\iMediaCodec\ Deleted
C:\Program Files\VirusBurster\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

En de 1e hijackthis

Citaat:

Logfile of HijackThis v1.99.1
Scan saved at 22:08:18, on 4-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\FAMILI~1\LOCALS~1\Temp\Rar$EX00.141\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157312328557
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata...PSUploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/SITE/xupload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

combofix

Citaat:

Familia Pitoy - 06-10-04 22:10:57.35 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Familia Pitoy\Bureaublad"

((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))

2006-10-04 22:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-04 22:03 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-04 22:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-04 22:03 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-03 13:06 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-03 13:05 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-03 13:03 78,336 --a------ C:\WINDOWS\system32\drivers\ssi.sys
2006-10-03 13:03 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2006-10-03 12:55 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2006-10-01 15:38 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-01 15:38 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-01 15:38 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-01 15:38 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-01 15:38 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-01 11:55 298,496 --a------ C:\WINDOWS\uninst.exe
2006-10-01 11:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-09-26 20:28 987,136 --a------ C:\WINDOWS\system32\liboggvorbis-1.0.0.dll
2006-09-26 20:28 696,832 --a------ C:\WINDOWS\system32\libmcl-2.8.0.dll
2006-09-26 20:28 69,120 --a------ C:\WINDOWS\system32\libmpeg2-enc-1.2.5.dll
2006-09-26 20:28 427,008 --a------ C:\WINDOWS\system32\libimg-2.2.9.dll
2006-09-26 20:28 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.1.1.dll
2006-09-26 20:28 1,036,800 --a------ C:\WINDOWS\system32\libmpeg-1.0.0.dll
2006-09-23 22:40 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-23 22:40 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-23 22:40 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-09-18 22:20 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2006-09-18 22:20 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2006-09-18 22:20 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2006-09-18 22:20 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2006-09-18 22:20 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2006-09-18 22:20 594,450 --a------ C:\WINDOWS\system32\x264vfw.dll
2006-09-18 22:20 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2006-09-18 22:20 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2006-09-18 22:20 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2006-09-18 22:20 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2006-09-18 22:20 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2006-09-18 22:19 90,112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-09-18 22:19 856,064 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-09-18 22:19 620,180 --a------ C:\WINDOWS\system32\divx.dll
2006-09-18 22:19 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-09-18 22:19 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-18 22:19 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-18 22:19 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-09-18 22:19 217,088 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-09-18 22:19 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-09-18 22:19 200,704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-09-18 22:19 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2006-09-18 22:19 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
2006-09-18 22:19 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-09-18 22:00 413,760 --a------ C:\WINDOWS\system32\MPG4C32.DLL
2006-09-14 09:04 360,256 -ra------ C:\WINDOWS\system32\drivers\ar5523.sys
2006-09-11 12:33 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-09-11 12:27 13,567 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2006-09-11 12:26 106,496 --a------ C:\WINDOWS\system32\FPXS2Pro.dll
2006-09-11 12:24 274,432 --a------ C:\WINDOWS\system32\FFTIFF16.dll
2006-09-11 12:24 155,648 --a------ C:\WINDOWS\system32\FFRAFLIB.DLL
2006-09-11 12:22 81,924 --------- C:\WINDOWS\system32\drivers\VC4CB104.SYS
2006-09-11 12:22 69,632 --------- C:\WINDOWS\system32\FREGSHEX.DLL
2006-09-11 12:22 65,536 --------- C:\WINDOWS\system32\FINFCHECK.dll
2006-09-11 12:22 45,056 --------- C:\WINDOWS\system32\FINFCOPY.dll
2006-09-11 12:22 45,056 --------- C:\WINDOWS\system32\FCLKBTN.DLL
2006-09-08 03:47 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-09-08 03:33 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-04 14:37 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-09-04 14:37 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-09-04 14:37 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-09-04 14:37 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-09-04 14:37 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-09-04 14:37 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-09-04 14:37 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-09-04 14:37 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-09-04 14:37 397,824 --a------ C:\WINDOWS\system32\rpcss.dll
2006-09-04 14:37 243,200 --a------ C:\WINDOWS\system32\es.dll
2006-09-04 14:37 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-09-04 14:37 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-09-04 14:37 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-09-04 14:37 101,376 --a------ C:\WINDOWS\system32\txflog.dll
2006-09-04 14:37 1,284,608 --a------ C:\WINDOWS\system32\ole32.dll
2006-09-04 14:37 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-09-04 14:36 77,312 --a------ C:\WINDOWS\system32\browser.dll
2006-09-04 14:36 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-09-04 14:36 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-09-04 14:36 332,288 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-09-04 14:28 241,152 --a------ C:\WINDOWS\system32\srrstr.dll
2006-09-04 14:26 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-04 22:08 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-04 19:19 -------- d-------- C:\Program Files\MP3 Player Utilities 3.68
2006-10-03 16:04 -------- d-------- C:\Program Files\Hitman Pro
2006-10-03 13:21 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-03 13:09 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-03 13:05 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\PC Tools
2006-10-03 13:03 -------- d-------- C:\Program Files\Webroot
2006-10-03 13:03 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Webroot
2006-10-01 15:39 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\AVG7
2006-10-01 15:38 -------- d-------- C:\Program Files\Grisoft
2006-10-01 15:37 -------- d---s---- C:\Documents and Settings\Familia Pitoy\Application Data\Microsoft
2006-10-01 15:07 -------- d-------- C:\Program Files\Lavasoft
2006-10-01 15:07 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Lavasoft
2006-10-01 11:47 -------- d-------- C:\Program Files\Black Isle
2006-09-29 23:33 -------- d-------- C:\Program Files\Google
2006-09-29 13:16 -------- d-------- C:\Program Files\Show.kit 2.1
2006-09-29 12:59 -------- d-------- C:\Program Files\EwisoftWeb
2006-09-27 19:04 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Adobe
2006-09-27 19:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-27 19:02 -------- d-------- C:\Program Files\Common Files
2006-09-27 18:58 -------- d-------- C:\Program Files\Adobe
2006-09-26 17:45 -------- d-------- C:\Program Files\Kruidvat - Fotoservice
2006-09-23 22:39 -------- d-------- C:\Program Files\America's Army Server Manager
2006-09-23 22:23 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-23 12:23 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Apple Computer
2006-09-23 11:57 -------- d-------- C:\Program Files\QuickTime
2006-09-22 19:59 -------- d-------- C:\Program Files\TetriNet2
2006-09-22 17:02 -------- d-------- C:\Program Files\FinePixViewer
2006-09-19 21:06 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Media Player Classic
2006-09-18 22:19 -------- d-------- C:\Program Files\K-Lite Codec Pack
2006-09-18 21:57 -------- d-------- C:\Program Files\DivX_311alpha
2006-09-18 21:55 -------- d-------- C:\Program Files\GustoSoft
2006-09-18 18:12 -------- d-------- C:\Program Files\GrabIt
2006-09-18 17:58 -------- d-------- C:\Program Files\Shareaza Turbo Accelerator
2006-09-11 20:49 -------- d-------- C:\Program Files\Messenger
2006-09-11 20:49 -------- d-------- C:\Program Files\Internet Explorer
2006-09-11 20:48 -------- d-------- C:\Program Files\Windows Media Player
2006-09-11 20:46 -------- d-------- C:\Program Files\Outlook Express
2006-09-11 20:46 -------- d-------- C:\Program Files\Common Files\System
2006-09-11 17:52 -------- d-------- C:\Program Files\7-Zip
2006-09-11 12:35 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\FUJIFILM
2006-09-11 12:27 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-11 12:27 -------- d-------- C:\Program Files\PIXELA
2006-09-11 12:22 -------- d-------- C:\Program Files\REGSHAVE
2006-09-08 13:29 -------- d-------- C:\Program Files\MSN Messenger
2006-09-08 03:57 -------- d-------- C:\Program Files\Movie Maker
2006-09-08 03:53 -------- d-------- C:\Program Files\Windows NT
2006-09-08 03:53 -------- d-------- C:\Program Files\NetMeeting
2006-09-08 03:16 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Xfire
2006-09-08 03:15 -------- d-------- C:\Program Files\WinRAR
2006-09-07 23:21 -------- d---s---- C:\Program Files\Xfire
2006-09-07 21:25 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Macromedia
2006-09-03 21:40 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Mozilla
2006-09-03 21:39 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-02 15:33 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Help
2006-09-02 15:28 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-02 15:28 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-02 15:27 62 --ahs---- C:\Documents and Settings\Familia Pitoy\Application Data\desktop.ini
2006-09-02 15:25 -------- d-------- C:\Program Files\support.com
2006-09-02 14:54 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-02 14:54 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-02 14:52 -------- d-------- C:\Program Files\Hewlett-Packard
2006-09-02 14:51 -------- d-------- C:\Program Files\hp deskjet 5550 series
2006-09-02 14:39 -------- d-------- C:\Program Files\ahead
2006-09-02 14:10 -------- d-------- C:\Program Files\AvRack
2006-09-02 14:10 -------- d-------- C:\Program Files\Avance Sound Manager
2006-09-02 14:07 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-02 14:07 -------- d-------- C:\Documents and Settings\Familia Pitoy\Application Data\Identities
2006-09-02 13:48 0 -rahs---- C:\MSDOS.SYS
2006-09-02 13:48 0 -rahs---- C:\IO.SYS
2006-09-02 13:48 0 --a------ C:\CONFIG.SYS
2006-09-02 13:48 0 --a------ C:\AUTOEXEC.BAT
2006-09-02 13:48 -------- d-------- C:\Program Files\xerox
2006-09-02 13:46 -------- d-------- C:\Program Files\Online Services
2006-09-02 13:45 -------- d-------- C:\Program Files\Common Files\Services
2006-09-02 13:44 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-02 13:44 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-09-02 13:43 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-02 13:43 -------- d-------- C:\Program Files\MSN
2006-08-21 14:28 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-07-27 15:26 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\Hitman Pro\\surfright.exe\" \"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Hitman Pro SurfRight Helper"="\"C:\\Program Files\\Hitman Pro\\srhelper.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe"
"SoundMan"="soundman.exe"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.e xe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer]
"NoDriveTypeAutoRun"=dword:0000009d

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\e xplorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ explorer\run]
"isamonitor.exe"="C:\\Program Files\\iMediaCodec\\isamonitor.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServ iceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: 06-10-04 22:11:48.00
ComboFix.txt

en hijack this daarna

Citaat:

Logfile of HijackThis v1.99.1
Scan saved at 22:12, on 06-10-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hitman Pro\srhelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\FAMILI~1\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Hitman Pro\surfright.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157312328557
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata...PSUploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/SITE/xupload/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

**05-10-2006, 22:56**

Citaat:

The Dosh schreef op 04-10-2006 @ 11:10 :
Sinds er vlakbij ons huis bliksem insloeg heb ik problemen met me rauter. Als 2 comps aanstaan met internet heeft hij opeens een ip conflict iemand een idee wat ik hier aan moet doen?

Router terugbrengen en nieuwe vragen (mits binnen garantie). Je kunt ook proberen om de firmware te updaten.
Maar je vraag heeft echt geen drol met spy-, adware en virussen te maken. Ik denk dat je beter een eigen topic kunt openen

Elite! · **06-10-2006, 15:25**

Citaat:

vlep`un schreef op 05-10-2006 @ 23:56 :
Router terugbrengen en nieuwe vragen (mits binnen garantie). Je kunt ook proberen om de firmware te updaten.
Maar je vraag heeft echt geen drol met spy-, adware en virussen te maken. Ik denk dat je beter een eigen topic kunt openen

ja sry ik lees meestal de dingen hier dus per ongeluk hie rgepost ipv bij hardware. mijn excuses

juisterr · **06-10-2006, 18:52**

Hai solowolf,

Gaat het al beter met je pc??

Download Dr.Web CureIt naar je Bureaublad:

Dubbelklik drweb-cureit.exe Klik op udate
Na de update verschijnt er een nieuw icoontje op je buroblad "CureIt.exe" dubbelklik het en klik op Scan, sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt,
klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de groene pijl rechts om de scan te starten.
Klik Yes to all wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan beëindigd is, kijk of je kunt op het icoontje naast de gevonden bestanden klikken:
Indien ja,klik er op en klik vervolgens op het icoontje er juist onder en selecteer Move incurable zoals je hier ziet:

Dit verplaatst gevonden bestanden naar de "%userprofile%\DoctorWeb\quarantaine-map" indien herstel niet mogelijk is.
Nadat de scan gedaan is, in het menu bovenaan, klik File en kies Save report List. Bewaar het op je Bureaublad.
Sluit daarna Dr.Web Cureit.
Herstart je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

samen met een HJt logje aub.

bvd
Juisterr

Soortgelijke topics
Forum	Topic	Reacties	Laatste bericht
Software & Hardware	Centraal spyware, adware & virussen topic [5] M@rco	499	26-03-2008 13:10

17-09-2006, 11:39
polichinelle	Dat stukje wat onder 'zelf verwijderen staat' heb ik al uitgevoerd maar dat krijgt het niet weg. __________________ i was everything you wanted until i quit

23-09-2006, 15:59
Ske*	Nadat mijn broer iets aangeklikt had op zijn msn venster, krijg ik nu voortdurend (zoiets van 1x minuut) een nieuw venster met reclame. Ik heb Hitman Pro laten lopen maar er is geen veranderen. Wat nu? __________________ Lang , mijn systeembeheerder \| www.google.be \| Aspire 3020

23-09-2006, 16:17
Ske*	kan het zijn dat ik o.a. C:\nwnmff_e12.exe C:\kybrdff_e12.exe moet verwijderen? __________________ Lang , mijn systeembeheerder \| www.google.be \| Aspire 3020

23-09-2006, 19:18
freyk	O.a wel ja. Zie ook ff mijn antwoord in msn virus __________________ "Typefouten zijn gratis" \| "Daar is vast wel een knopje voor" \| "Ik weet, want ik zoek" \| Powered by Firefox, Chromium, Mac OS X, OpenSuse, and Google.

24-09-2006, 15:43
freyk	Tip: gebruik "bestandnaam.extensie" als zoekwoord voor google. Met CTSVCCDA.EXE, vind je dan iets. Bij update.exe is altijd de locatie van dit bestand belangrijk. __________________ "Typefouten zijn gratis" \| "Daar is vast wel een knopje voor" \| "Ik weet, want ik zoek" \| Powered by Firefox, Chromium, Mac OS X, OpenSuse, and Google.

24-09-2006, 20:42
Ske*	jah m@rco ik nog s : deze file O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2ltb24\command.exe vink ik aan en doe ik scan en fix en blijft dan toch nog tussen de lijst zitten __________________ Lang , mijn systeembeheerder \| www.google.be \| Aspire 3020

26-09-2006, 19:35
freyk	Ik zou nog ff het volgende fixen en verwijderen: O21 - SSODL: imputable - {6570b782-1a41-4053-b2c9-12c7fcf0d84d} - C:\WINDOWS\system32\duxzj.dll __________________ "Typefouten zijn gratis" \| "Daar is vast wel een knopje voor" \| "Ik weet, want ik zoek" \| Powered by Firefox, Chromium, Mac OS X, OpenSuse, and Google.

26-09-2006, 21:26
juisterr	Ziet er goed uit ske* problemen ook over? __________________ Alles is betrekkelijk. Proud member of ASAP

27-09-2006, 06:24
Ske*	Nu eens een persoonlijk berichtje hé Ik ben echt heel tevreden! Nu al 3 dagen geen last meer, en mijn pc heeft nog nooit zo vlot gedraaid. Hij start in een minimumtijd op enzo. Echt bedankt Juisterr! __________________ Lang , mijn systeembeheerder \| www.google.be \| Aspire 3020

27-09-2006, 22:06
~SmG~	Dit is vast een domme vraag, maar waar kan ik Network Monitor en Command Service vinden? Het staat in ieder geval niet bij software. __________________ If the apocalypse comes, beep me.

Advertentie

29-09-2006, 08:55
freyk	Het blijkt dat er meer mensen op die .pif url hebben geklikt. Er werd aangeraden om nod32 te installeren om deze griezel te desinfecteren. Dus ~SmG~ en *ske, kijk eens of het daarmee ook kan. __________________ "Typefouten zijn gratis" \| "Daar is vast wel een knopje voor" \| "Ik weet, want ik zoek" \| Powered by Firefox, Chromium, Mac OS X, OpenSuse, and Google.

04-10-2006, 10:10
Elite!	Sinds er vlakbij ons huis bliksem insloeg heb ik problemen met me rauter. Als 2 comps aanstaan met internet heeft hij opeens een ip conflict iemand een idee wat ik hier aan moet doen? __________________ Als je iets niet ziet, wil dat niet zeggen dat het er niet is...