Overschrijding bufferlimiet / Service.exe

[2139]

(Gesponsorde links- (Wat is dit?))

service.exe probleem
Ook ik heb het probleem dat mijn computer (Pentium4, Windows XP Home) na de opstart uitgaat.Mijn virusscanner (McAfee) geeft, nadat ie is opgestart een overschrijding van de bufferlimiet in de file services.exe.
Ook ik heb de vorige thread gelezen en de oplossingen uitgeprobeerd, maar had echter wel de problemen, dat ik Adaware en Spybot S&D niet kon updaten, want aangezien ik alleen in de veilige modus op kan starten (in de normale modus schakelt ie immers uit) lukt het me niet om de (inter)net verbinding op te starten. Werk op dit moment dus vanaf m'n laptop.
Heb inmiddels wel de programma's DrWeb-Cureit en SDfix laen draaien, die verwijderden enkele Trojans maar het probleem is er nog steeds.
Laat nu dus HijackThis vanuit de veilige modus draaien en krijg navolgende logs:
Logfile of HijackThis v1.99.1
Scan saved at 21:38:16, on 23-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Downloads\Virus verwijdering\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://E:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} (UpdateAdvisor Control) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - E:\Bluetooth Utility\bin\btwdins.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - E:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Ik hoop dat iemand van jullie ziet waar het probleem zit. Ik kom er tot nu toe (3 en een halve dag puzzelen) niet uit.

[smeenk]

Download Combofix naar je bureaublad.
Dubbelklik combofix.exe
Volg de instructies.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix gedaan heeft en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post tesamen met een logje van HijackThis.

Groeten smeenk

[2139]

Da's snel, ga het direct proberen,
dank je wel

[2139]

Gaf detectie van het Rustock rootkit en doet nu een reboot.
Zie de start van de scan tijdens de normale opstartmodus. McAfee komt geheel voorbij maar krijg nu een melding dat er een nieuw netwerk is aangetroffen (Gateway 192.168.1.1) maar da's volgens mij m'n eigen netwerk. Vervolgens een McAfee melding wijziging register (waar ik nu dus niet aan kom) en vervolgens normale afsluitprocedure van Windows en wederom een reboot in de normale modus.
Find3M maakt nu z'n log report (en krijg wederom de McAfee melding van het nieuw aangetroffen netwerk, maar dat laat ik ongemoeid)
Combofix.txt:
"Mario" - 2007-05-23 21:59:48 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Mario\Bureaublad\"

Rootkit driver xpdt is present. ... attempting disinfection
xpdt ...... driver unloaded successfully.
ADS removed - system32: deleted 78580 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Mario\BUREAU~1\internet.lnk


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))


2007-05-23 21:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-22 09:43 <DIR> d-------- C:\DOCUME~1\Mario\DoctorWeb
2007-05-21 21:59 <DIR> d-------- C:\WINDOWS\mario
2007-05-20 18:36 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-20 18:36 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-20 18:34 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-20 18:34 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-05-20 18:34 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Sjablonen
2007-05-20 18:34 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Onlangs geopend
2007-05-20 18:34 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Netwerkprinteromgeving
2007-05-20 18:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Mijn documenten
2007-05-20 18:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Favorieten
2007-05-20 18:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Bureaublad
2007-05-20 18:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-05-20 18:22 <DIR> d-------- C:\DOCUME~1\Mario\APPLIC~1\SiteAdvisor
2007-05-20 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-05-20 18:21 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-05-20 18:21 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-05-20 18:21 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-05-20 18:21 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-05-20 18:21 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-05-20 18:21 107,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-05-20 18:20 <DIR> d-------- C:\Program Files\McAfee.com
2007-05-20 18:20 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-05-20 18:19 <DIR> d-------- C:\Program Files\McAfee
2007-05-20 17:59 <DIR> d-------- C:\WINDOWS\pss
2007-05-20 13:09 29,206 --a------ C:\WINDOWS\system32\opnkhgf.dll
2007-05-09 20:59 <DIR> d-------- C:\DOCUME~1\Mario\APPLIC~1\OpenOffice.org2
2007-05-09 20:55 <DIR> d-------- C:\Program Files\OpenOffice.org 2.2
2007-05-09 20:32 1,208 --a------ C:\WINDOWS\mozver.dat
2007-05-09 19:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-09 19:33 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-09 19:33 <DIR> d-------- C:\DOCUME~1\Mario\APPLIC~1\Talkback
2007-05-02 20:15 3,932,160 --a------ C:\DOCUME~1\Mario\ntuser.dat
2007-05-02 20:15 262,144 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-30 13:01 <DIR> d-------- C:\Program Files\Apple Software Update


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 15:33:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-20 15:33:18 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\Google
2007-05-15 07:09:50 -------- d-----w C:\Program Files\Google
2007-05-13 19:02:44 54,698 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-05-13 19:02:44 367,600 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-30 11:06:20 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\Apple Computer
2007-03-30 17:06:32 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\MAGIX
2007-03-29 15:46:50 101,376 ----a-w C:\WINDOWS\system32\drivers\ACEDRV07.sys
2007-03-29 15:46:34 -------- d-----w C:\Program Files\Common Files\MAGIX Shared
2007-03-28 18:35:35 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\CyberLink
2007-03-28 18:33:49 -------- d-----w C:\Program Files\CyberLink
2007-03-28 18:32:45 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-28 18:00:26 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\Corel
2007-03-28 17:58:31 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:02:38 -------- d-----w C:\DOCUME~1\Mario\APPLIC~1\Help
2007-03-13 22:31:24 135,168 ----a-w C:\WINDOWS\system32\java-mario.exe
2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 17:43:14 822,784 ----a-w C:\WINDOWS\system32\wininet(2).dll
2007-03-07 17:43:14 105,984 ----a-w C:\WINDOWS\system32\url(2).dll
2007-03-07 17:43:14 1,150,464 ----a-w C:\WINDOWS\system32\urlmon(2).dll
2007-03-07 17:43:11 266,752 ----a-w C:\WINDOWS\system32\iertutil(2).dll
2007-02-05 20:20:07 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\4144\SiteAdv.dll [2006-10-02 21:09]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}=C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
{53707962-6F74-2D53-2644-206D7942484F}=E:\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 16:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"=""
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Cmaudio"="cmicnfg.cpl"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03]


Contents of the 'Scheduled Tasks' folder
2007-05-06 17:32:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-20 16:31:34 C:\WINDOWS\tasks\McDefragTask.job
2007-05-20 16:31:34 C:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 22:05:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-05-23 22:07:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-23 22:07

--- E O F ---


En de Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:12:53, on 23-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
E:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Downloads\Virus verwijdering\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://E:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} (UpdateAdvisor Control) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - E:\Bluetooth Utility\bin\btwdins.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - E:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



Wat me opvalt is dat m'n Mozilla Firefox snelkoppeling van het bureaublad is verdwenen. Heeft dat wat met het euvel te maken gehad ?

[smeenk]

Probeer maar in normale modus, als dat niet lukt, dan weer in veilige modus en meldt maar hoe de situatie is

[2139]

Stond al in de normale modus en doet het al weer als vanouds, maar start 'm dus even opnieuw op. Draait weer als een nieuwe. (alleen Firefox is compleet verwijderd, ook niet meer in de software lijst te zien)

Heb jij er nu zicht op, waar het 'm in zat ? Conflict met Firefox of zo ?
In ieder geval heel veel dank voor je ondersteuning. Waar moet de bos bloemen naar toe worden gestuurd ?
gr. Mario

[smeenk]

Er zat dus een rootkit op en die is door Combofix verwijderd.

Dat met FireFox kan ik niet verklaren, probeer die maar eens opnieuw te installeren.

[2139]

Ga ik doen. Nogmaals bedankt

[smeenk]

Graag gedaan hoor

Doe dit nog even:
Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Ik verplaats je topic naar de "Opgeloste HijackThis logs".
Wil je dit topic heropend hebben, stuur mij dan een "PB".

Groeten smeenk