Ik heb spyware op mijn computer en kan het niet verwijderen!

[Satta]

Hallo,

Mijn broertje heeft onlangs een mail geopend en er is toen waarschijnlijk een mail/spyware op mijn computer geinstalleerd. Het gaat om het programma win spyware protect. Ik heb mijn computer gescand met mcafee, ad aware 2008 en spyware doctor maar de mail/spyware staat er nog steeds op.

Ik hoop dat jullie mij kunnen helpen.

Met vriendelijke groet,

Satta

Dit is mijn Hijack logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:34:42, on 27-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vi.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: atfxqogp - {9E6CD9DF-5EF9-40F4-84FA-C4842EB1F283} - C:\WINDOWS\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [advap32] D:\DOCUME~1\Ravish\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [e0fe598a] rundll32.exe "C:\WINDOWS\system32\fulvikpv.dll",b
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP OfficeJet T Series Opstartmenu.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204449533890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204455813906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O21 - SSODL: vregfwlx - {576FC564-1ED1-4E7B-A576-B973414AFF6C} - C:\WINDOWS\vregfwlx.dll
O21 - SSODL: KernelMon - {0edb91dc-441e-4a6a-bf46-decb18f48990} - C:\WINDOWS\Resources\KernelMon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 11210 bytes

[smeenk]

Download: RVAXO.exe

• Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
• Start de computer in veilige modus.
• Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
  Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
• Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
  
• Daarna zal je PC herstarten, laat hem nu weer in normale modus starten. Na de herstart opent het cmd-venster van RVAXO opnieuw.
  Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
• Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
• Post de inhoud van de logfile in je volgende bericht.

Post ook de inhoud van het 2e logje: C:\RVAXO-Vfind.log

[Satta]

RVAXO-results

---RVAXO.exe Updated: 2008-05-27---first run---
Uninstallers:

Files found:
C:\WINDOWS\system32\oVuFeMoq.ini2
C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\edwf.exe
C:\WINDOWS\xmpstean.exe
C:\WINDOWS\vregfwlx.dll
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\apunbegy.dll
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\WLCtrl32.dll

Folders Found:

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:
C:\WINDOWS\system32\WLCtrl32.dll

--------------RVAXO.exe finished----------------

RVAXO-Vfind

======C:\WINDOWS====
----a-w 0 2008-05-27 20:01:59 C:\WINDOWS\0.log
--s-a-w 2,048 2008-05-27 20:00:00 C:\WINDOWS\bootstat.dat
----a-w 307,463 2008-05-14 11:02:46 C:\WINDOWS\comsetup.log
----a-w 51,133 2008-05-14 11:02:46 C:\WINDOWS\ehOCGen.log
----a-w 925,663 2008-05-14 11:02:45 C:\WINDOWS\FaxSetup.log
----a-w 2,334 2008-05-14 17:12:27 C:\WINDOWS\HPOCSS05.INI
----a-w 228 2008-05-25 12:56:27 C:\WINDOWS\HPODJC05.INI
----a-w 551 2008-05-25 12:56:33 C:\WINDOWS\HPOTBX05.INI
----a-w 991,507 2008-05-14 11:02:46 C:\WINDOWS\iis6.log
----a-w 1,374 2008-05-14 11:02:46 C:\WINDOWS\imsins.log
----a-w 13,651 2008-05-14 11:02:46 C:\WINDOWS\KB950749.log
----a-w 111,373 2008-05-14 11:02:46 C:\WINDOWS\MedCtrOC.log
----a-w 4,246 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Data Modem.txt
----a-w 4,472 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Modem.txt
----a-w 45,676 2008-05-14 11:02:46 C:\WINDOWS\msgsocm.log
----a-w 275,886 2008-05-14 11:02:43 C:\WINDOWS\msmqinst.log
----a-w 69 2008-05-19 18:56:48 C:\WINDOWS\NeroDigital.ini
----a-w 172,867 2008-05-14 11:02:46 C:\WINDOWS\netfxocm.log
----a-w 131,724 2008-05-27 19:58:57 C:\WINDOWS\ntbtlog.txt
----a-w 184,952 2008-05-14 11:02:46 C:\WINDOWS\ntdtcsetup.log
----a-w 437,552 2008-05-14 11:02:46 C:\WINDOWS\ocgen.log
----a-w 56,083 2008-05-14 11:02:46 C:\WINDOWS\ocmsn.log
----a-w 103,943 2008-05-14 11:02:46 C:\WINDOWS\plusoc.log
---ha-w 54,156 2008-05-27 19:38:08 C:\WINDOWS\QTFont.qfn
----a-w 32,400 2008-05-27 19:45:34 C:\WINDOWS\SchedLgU.Txt
----a-w 413,980 2008-05-25 20:07:36 C:\WINDOWS\setupapi.log
----a-w 46,389 2008-05-14 11:02:46 C:\WINDOWS\tabletoc.log
----a-w 419,297 2008-05-14 11:02:46 C:\WINDOWS\tsoc.log
----a-w 4 2008-05-27 19:40:15 C:\WINDOWS\Twain001.Mtx
----a-w 159 2008-05-27 20:01:30 C:\WINDOWS\wiadebug.log
----a-w 49 2008-05-27 20:01:19 C:\WINDOWS\wiaservc.log
----a-w 1,840,770 2008-05-27 19:45:29 C:\WINDOWS\WindowsUpdate.log
----a-w 72,555 2008-05-23 14:45:38 C:\WINDOWS\wmsetup.log

Entries: 33 (31)
Directories: 0 Files: 33
Bytes: 6,704,554 Blocks: 13,111
======C:\WINDOWS\system32=====
----a-w 107,888 2008-05-08 10:26:53 C:\WINDOWS\System32\CmdLineExt.dll
----a-w 32,192 2008-05-27 19:45:32 C:\WINDOWS\System32\Config.MPF
----a-w 1,553,344 2008-05-18 12:31:32 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 90,624 2008-05-25 15:37:19 C:\WINDOWS\System32\fulvikpv.dll
----a-w 84 2008-05-27 20:01:52 C:\WINDOWS\System32\ikhcore.cfg
----a-w 12,632 2008-05-16 09:58:04 C:\WINDOWS\System32\lsdelete.exe
----a-w 16,863,864 2008-05-09 21:35:04 C:\WINDOWS\System32\MRT.exe
--sha-w 4,752 2008-05-27 20:09:44 C:\WINDOWS\System32\oVuFeMoq.ini
--sha-w 4,752 2008-05-27 20:09:29 C:\WINDOWS\System32\oVuFeMoq.ini2
----a-w 72,960 2008-05-26 22:35:21 C:\WINDOWS\System32\perfc009.dat
----a-w 93,218 2008-05-26 22:35:21 C:\WINDOWS\System32\perfc013.dat
----a-w 446,006 2008-05-26 22:35:21 C:\WINDOWS\System32\perfh009.dat
----a-w 514,242 2008-05-26 22:35:21 C:\WINDOWS\System32\perfh013.dat
----a-w 1,140,898 2008-05-26 22:35:21 C:\WINDOWS\System32\PerfStringBackup.INI
----a-w 318,336 2008-05-25 15:35:41 C:\WINDOWS\System32\qoMeFuVo.dll
----a-w 827,634 2008-05-27 06:12:36 C:\WINDOWS\System32\RVAXO.bat
----a-w 29,312 2008-05-25 14:30:56 C:\WINDOWS\System32\urqPiIxY.dll
--sh--w 1,157,178 2008-05-27 19:43:50 C:\WINDOWS\System32\vpkivluf.ini
----a-w 14,336 2008-05-27 20:00:00 C:\WINDOWS\System32\WinCtrl32.dllRVAXO
----a-w 12,288 2008-05-27 20:00:00 C:\WINDOWS\System32\WLCtrl32.dll
----a-w 13,646 2008-05-18 12:31:16 C:\WINDOWS\System32\wpa.dbl

Entries: 21 (18)
Directories: 0 Files: 21
Bytes: 23,310,186 Blocks: 45,538
======C:\WINDOWS\system32\drivers=====
----a-w 12,960 2008-04-29 09:19:50 C:\WINDOWS\System32\drivers\Awrtpd.sys
----a-w 15,648 2008-04-29 09:19:54 C:\WINDOWS\System32\drivers\Awrtrd.sys
----a-w 29,056 2008-05-26 20:02:40 C:\WINDOWS\System32\drivers\naA55.sys
----a-w 15,648 2008-04-29 09:20:00 C:\WINDOWS\System32\drivers\NSDriver.sys
----a-w 27,008 2008-05-26 20:23:04 C:\WINDOWS\System32\drivers\Rem07.sys

Entries: 5 (5)
Directories: 0 Files: 5
Bytes: 100,320 Blocks: 198
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======D:=====
----a-w 639 2008-05-27 19:58:21 D:\firstrun6.log

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 639 Blocks: 2
======D:\Documenten en settings\Ravish\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Documenten en settings\Ravish======
---ha-w 3,407,872 2008-05-27 19:59:00 D:\Documenten en settings\Ravish\NTUSER.DAT
---ha-w 36,864 2008-05-27 20:09:15 D:\Documenten en settings\Ravish\NtUser.dat.LOG
--sh--w 188 2008-05-27 19:45:27 D:\Documenten en settings\Ravish\ntuser.ini
----a-w 600 2008-05-25 15:46:12 D:\Documenten en settings\Ravish\PUTTY.RND

Entries: 4 (1)
Directories: 0 Files: 4
Bytes: 3,445,524 Blocks: 6,731
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

[smeenk]

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

@ECHO OFF
IF EXIST log.txt DEL log.txt
sc stop naA55
sc delete naA55
remove C:\WINDOWS\System32\drivers\naA55.sys C:\RVAXO\naA55.sys
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\System32\fulvikpv.dll
C:\WINDOWS\System32\ikhcore.cfg
C:\WINDOWS\System32\oVuFeMoq.ini
C:\WINDOWS\System32\oVuFeMoq.ini2
C:\WINDOWS\System32\qoMeFuVo.dll
C:\WINDOWS\System32\urqPiIxY.dll
C:\WINDOWS\System32\vpkivluf.ini
C:\WINDOWS\System32\WinCtrl32.dllRVAXO
C:\WINDOWS\System32\drivers\naA55.sys
C:\WINDOWS\System32\WLCtrl32.dl_
C:\WINDOWS\System32\WLCtrl32.dll) DO (
DEL /Q %%gNUCIA
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
REN %%g *NUCIA
IF EXIST %%gNUCIA (
ECHO renamed to %%gNUCIA>>log.txt)
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
sc stop naA55
sc delete naA55
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

[Satta]

del.bat-log

Deleting files
C:\WINDOWS\System32\fulvikpv.dll not found
C:\WINDOWS\System32\ikhcore.cfg deleted
C:\WINDOWS\System32\MRT.exe deleted
C:\WINDOWS\System32\oVuFeMoq.ini deleted
C:\WINDOWS\System32\oVuFeMoq.ini2 deleted
C:\WINDOWS\System32\qoMeFuVo.dll not deleted
C:\WINDOWS\System32\urqPiIxY.dll not deleted
C:\WINDOWS\System32\vpkivluf.ini deleted
C:\WINDOWS\System32\WinCtrl32.dllRVAXO deleted
C:\WINDOWS\System32\drivers\naA55.sys not deleted
C:\WINDOWS\System32\WLCtrl32.dl_ not found
renamed to C:\WINDOWS\System32\WLCtrl32.dllNUCIA
C:\WINDOWS\System32\WLCtrl32.dll deleted

[smeenk]

Download IceSword en unzip het naar je bureaublad in een map.
- Open die map, dubbelklik op het "Sword icon" om IceSword te starten.
- Links klik je op file.
- Kies nu deze computer in icesword en navigeer naar dit bestand:

C:\WINDOWS\System32\drivers\naA55.sys

- Rechtsklik er op en kies voor delete.

- Doe dit ook voor:

C:\WINDOWS\System32\WLCtrl32.dllNUCIA

Herstart je PC en post een nieuw logje van Hijackthis

[Satta]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:46, on 28-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: atfxqogp - {9E6CD9DF-5EF9-40F4-84FA-C4842EB1F283} - C:\WINDOWS\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [e0fe598a] rundll32.exe "C:\WINDOWS\system32\quxpvodu.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP OfficeJet T Series Opstartmenu.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204449533890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204455813906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O21 - SSODL: KernelMon - {0edb91dc-441e-4a6a-bf46-decb18f48990} - C:\WINDOWS\Resources\KernelMon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 10843 bytes

[smeenk]

Download Malwarebytes' Anti-Malware via hier of hier.

Dubbelklik mbam-setup.exe om het programma te installeren.

• Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Launch Malwarebytes' Anti-Malware, Klik daarna op "finish".
• Indien een update gevonden werd, zal het die downloaden en de laatste versie installeren.
• Wanneer het programma volledig up to date is, selecteer "Perform Quick Scan", daarna klik Scan.
• Het scannen kan een tijdje duren, dus wees geduldig.
• Wanneer de scan voltooid is, klik OK, daarna "Show Results" om de resultaten te zien.
• Zorg ervoor dat daar alles aangevinkt is, daarna klik: Remove Selected.
• Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie extra nota onderaan)
• De log wordt automatisch bewaard door MBAM die je kan zien door de "Logs" tab te klikken in MBAM.
• Kopieer en plak de resultaten van de log in je volgend antwoord, samen met een nieuw logje van Hijackthis.

Extra opmerking:
Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de Computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

[Satta]

Malwarebytes' Anti-Malware 1.12
Database versie: 795

Scan type: Snelle Scan
Objecten gescand: 46761
Verstreken tijd: 1 hour(s), 2 minute(s), 9 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 6
Registersleutels geïnfecteerd: 32
Registerwaarden geïnfecteerd: 8
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 6
Bestanden geïnfecteerd: 16

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\qoMeFuVo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\quxpvodu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\Resources\KernelMon.dll (Trojan.Clicker) -> Unloaded module successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\urqPiIxY.dll (Trojan.Vundo) -> Unloaded module successfully.

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cab0a5f4-2a25-4972-8abf-3885d2b67db4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{cab0a5f4-2a25-4972-8abf-3885d2b67db4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{e18c3daf-9841-4340-afe9-27ab400650ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e48c3daf-9841-4345-afe9-27ab400650ab} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bsog (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e6cd9df-5ef9-40f4-84fa-c4842eb1f283} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b33b96b9-e0c2-4648-9819-a38ddcafa33c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b33b96b9-e0c2-4648-9819-a38ddcafa33c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de4a7692-b2cb-4d1a-9956-76a8a028caa0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1c2a0cbe-9c8b-49f3-9e56-bd989db7e8c3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14a9da84-0c80-4520-8452-f5c7c911a003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3177b0aa-7c67-46b4-ba02-574d7e368d4f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{890f3f83-dca0-42a9-935e-dd01e78970b8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{616d534c-3ca8-43ab-b439-618f850f1d2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0edb91dc-441e-4a6a-bf46-decb18f48990} (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{48f0b738-34a6-4113-b966-33c4ef85bcd9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48f0b738-34a6-4113-b966-33c4ef85bcd9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqpiixy (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e0fe598a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9e6cd9df-5ef9-40f4-84fa-c4842eb1f283} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\KernelMon (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{48f0b738-34a6-4113-b966-33c4ef85bcd9} (Trojan.Vundo) -> Delete on reboot.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomefuvo -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomefuvo -> Delete on reboot.

Mappen geïnfecteerd:
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Bestanden geïnfecteerd:
C:\WINDOWS\system32\qoMeFuVo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\oVuFeMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oVuFeMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\quxpvodu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\udovpxuq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080525173153453.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080525194413515.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080526092925781.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080526185418500.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
D:\Documenten en settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080526213156578.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Resources\KernelMon.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\system32\WLCtrl32.dl_ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\urqPiIxY.dll (Trojan.Vundo) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:48:26, on 29-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: 818646 helper - {54192079-8E8A-43D8-BCBC-3874916159AF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP OfficeJet T Series Opstartmenu.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204449533890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204455813906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 11749 bytes

[smeenk]

Download dit bestand: zoek.exe
Dubbelklik het, na een tijdje opent er een logje.
Post de inhoud van dit logje in je volgende bericht

[Satta]

Zoek-log

======C:\WINDOWS====
----a-w 0 2008-05-29 16:30:25 C:\WINDOWS\0.log
--s-a-w 2,048 2008-05-29 16:28:57 C:\WINDOWS\bootstat.dat
----a-w 307,463 2008-05-14 11:02:46 C:\WINDOWS\comsetup.log
----a-w 51,133 2008-05-14 11:02:46 C:\WINDOWS\ehOCGen.log
----a-w 925,663 2008-05-14 11:02:45 C:\WINDOWS\FaxSetup.log
----a-w 2,334 2008-05-14 17:12:27 C:\WINDOWS\HPOCSS05.INI
----a-w 228 2008-05-25 12:56:27 C:\WINDOWS\HPODJC05.INI
----a-w 551 2008-05-25 12:56:33 C:\WINDOWS\HPOTBX05.INI
----a-w 991,507 2008-05-14 11:02:46 C:\WINDOWS\iis6.log
----a-w 1,374 2008-05-14 11:02:46 C:\WINDOWS\imsins.log
----a-w 13,651 2008-05-14 11:02:46 C:\WINDOWS\KB950749.log
----a-w 111,373 2008-05-14 11:02:46 C:\WINDOWS\MedCtrOC.log
----a-w 4,246 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Data Modem.txt
----a-w 4,472 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Modem.txt
----a-w 45,676 2008-05-14 11:02:46 C:\WINDOWS\msgsocm.log
----a-w 275,886 2008-05-14 11:02:43 C:\WINDOWS\msmqinst.log
----a-w 69 2008-05-19 18:56:48 C:\WINDOWS\NeroDigital.ini
----a-w 172,867 2008-05-14 11:02:46 C:\WINDOWS\netfxocm.log
----a-w 131,724 2008-05-27 19:58:57 C:\WINDOWS\ntbtlog.txt
----a-w 184,952 2008-05-14 11:02:46 C:\WINDOWS\ntdtcsetup.log
----a-w 437,552 2008-05-14 11:02:46 C:\WINDOWS\ocgen.log
----a-w 56,083 2008-05-14 11:02:46 C:\WINDOWS\ocmsn.log
----a-w 103,943 2008-05-14 11:02:46 C:\WINDOWS\plusoc.log
---ha-w 54,156 2008-05-29 16:29:35 C:\WINDOWS\QTFont.qfn
----a-w 32,400 2008-05-27 19:45:34 C:\WINDOWS\SchedLgU.Txt
----a-w 416,959 2008-05-28 05:44:00 C:\WINDOWS\setupapi.log
----a-w 46,389 2008-05-14 11:02:46 C:\WINDOWS\tabletoc.log
----a-w 419,297 2008-05-14 11:02:46 C:\WINDOWS\tsoc.log
----a-w 4 2008-05-29 16:29:55 C:\WINDOWS\Twain001.Mtx
----a-w 159 2008-05-29 16:29:49 C:\WINDOWS\wiadebug.log
----a-w 49 2008-05-29 16:29:43 C:\WINDOWS\wiaservc.log
----a-w 1,881,623 2008-05-29 16:31:23 C:\WINDOWS\WindowsUpdate.log
----a-w 72,555 2008-05-23 14:45:38 C:\WINDOWS\wmsetup.log

Entries: 33 (31)
Directories: 0 Files: 33
Bytes: 6,748,386 Blocks: 13,197
======C:\WINDOWS\system32=====
----a-w 0 2008-05-28 05:19:16 C:\WINDOWS\System32\clkcnt.txt
----a-w 107,888 2008-05-08 10:26:53 C:\WINDOWS\System32\CmdLineExt.dll
----a-w 33,198 2008-05-29 16:31:11 C:\WINDOWS\System32\Config.MPF
----a-w 1,553,344 2008-05-18 12:31:32 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 84 2008-05-29 16:30:20 C:\WINDOWS\System32\ikhcore.cfg
----a-w 12,632 2008-05-16 09:58:04 C:\WINDOWS\System32\lsdelete.exe
----a-w 143 2008-05-28 22:41:08 C:\WINDOWS\System32\mcrh.tmp
--sha-w 182,512 2008-05-28 22:41:03 C:\WINDOWS\System32\oVuFeMoq.ini
----a-w 72,960 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc009.dat
----a-w 93,218 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc013.dat
----a-w 446,006 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh009.dat
----a-w 514,242 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh013.dat
----a-w 1,140,898 2008-05-28 05:43:35 C:\WINDOWS\System32\PerfStringBackup.INI
------w 318,336 2008-05-28 22:39:12 C:\WINDOWS\System32\qoMeFuVo.dll
------w 96,256 2008-05-28 22:39:12 C:\WINDOWS\System32\quxpvodu.dll
----a-w 827,634 2008-05-27 06:12:36 C:\WINDOWS\System32\RVAXO.bat
------w 29,312 2008-05-28 22:39:13 C:\WINDOWS\System32\urqPiIxY.dll
----a-w 14,336 2008-05-29 16:28:56 C:\WINDOWS\System32\WinCtrl32.dll
----a-w 12,288 2008-05-29 16:28:56 C:\WINDOWS\System32\WLCtrl32.dll
----a-w 13,646 2008-05-18 12:31:16 C:\WINDOWS\System32\wpa.dbl

Entries: 20 (19)
Directories: 0 Files: 20
Bytes: 5,468,933 Blocks: 10,690
======C:\WINDOWS\system32\drivers=====
----a-w 12,960 2008-04-29 09:19:50 C:\WINDOWS\System32\drivers\Awrtpd.sys
----a-w 15,648 2008-04-29 09:19:54 C:\WINDOWS\System32\drivers\Awrtrd.sys
----a-w 29,056 2008-05-28 22:56:22 C:\WINDOWS\System32\drivers\kfN07.sys
----a-w 15,864 2008-05-05 18:46:32 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 27,048 2008-05-05 18:46:36 C:\WINDOWS\System32\drivers\mbamcatchme.sys
----a-w 15,648 2008-04-29 09:20:00 C:\WINDOWS\System32\drivers\NSDriver.sys
----a-w 27,008 2008-05-28 22:10:14 C:\WINDOWS\System32\drivers\Rem07.sys

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 143,232 Blocks: 282
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======D:=====
----a-w 639 2008-05-27 19:58:21 D:\firstrun6.log

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 639 Blocks: 2
======D:\Documenten en settings\Ravish\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Temp======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Documenten en settings\Ravish======
---ha-w 3,407,872 2008-05-28 23:24:38 D:\Documenten en settings\Ravish\NTUSER.DAT
---ha-w 114,688 2008-05-29 16:33:49 D:\Documenten en settings\Ravish\NtUser.dat.LOG
--sh--w 188 2008-05-28 23:24:14 D:\Documenten en settings\Ravish\ntuser.ini
----a-w 600 2008-05-25 15:46:12 D:\Documenten en settings\Ravish\PUTTY.RND

Entries: 4 (1)
Directories: 0 Files: 4
Bytes: 3,523,348 Blocks: 6,883
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

[Satta]

Ik heb ad-Aware een scan laten uitvoeren en die heeft de volgende trojan gevonden.
WIN32.TrojanDownloader.Mutant.
Ik heb Ad-Aware het laten verwijderen maar telkens als ik mijn computer opnieuw opstart is die trojan er nog steeds.

[smeenk]

Door de acties met Ad-aware kan er wat gewijzigd zijn.
Maak daarom een nieuw logje met zoek.exe en post dat in je volgende bericht.

[Satta]

======C:\WINDOWS====
----a-w 0 2008-05-29 18:43:57 C:\WINDOWS\0.log
--s-a-w 2,048 2008-05-29 18:42:20 C:\WINDOWS\bootstat.dat
----a-w 309,520 2008-05-29 17:38:30 C:\WINDOWS\comsetup.log
----a-w 51,471 2008-05-29 17:38:30 C:\WINDOWS\ehOCGen.log
----a-w 931,822 2008-05-29 17:38:29 C:\WINDOWS\FaxSetup.log
----a-w 2,334 2008-05-14 17:12:27 C:\WINDOWS\HPOCSS05.INI
----a-w 228 2008-05-25 12:56:27 C:\WINDOWS\HPODJC05.INI
----a-w 551 2008-05-25 12:56:33 C:\WINDOWS\HPOTBX05.INI
----a-w 998,344 2008-05-29 17:38:30 C:\WINDOWS\iis6.log
----a-w 1,374 2008-05-14 11:02:46 C:\WINDOWS\imsins.BAK
----a-w 1,374 2008-05-29 17:38:30 C:\WINDOWS\imsins.log
----a-w 11,096 2008-05-29 17:38:30 C:\WINDOWS\KB932823-v3.log
----a-w 13,651 2008-05-14 11:02:46 C:\WINDOWS\KB950749.log
----a-w 111,803 2008-05-29 17:38:30 C:\WINDOWS\MedCtrOC.log
----a-w 4,246 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Data Modem.txt
----a-w 4,472 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Modem.txt
----a-w 45,985 2008-05-29 17:38:30 C:\WINDOWS\msgsocm.log
----a-w 277,790 2008-05-29 17:38:27 C:\WINDOWS\msmqinst.log
----a-w 69 2008-05-19 18:56:48 C:\WINDOWS\NeroDigital.ini
----a-w 173,950 2008-05-29 17:38:30 C:\WINDOWS\netfxocm.log
----a-w 131,724 2008-05-27 19:58:57 C:\WINDOWS\ntbtlog.txt
----a-w 186,199 2008-05-29 17:38:30 C:\WINDOWS\ntdtcsetup.log
----a-w 440,468 2008-05-29 17:38:30 C:\WINDOWS\ocgen.log
----a-w 56,469 2008-05-29 17:38:30 C:\WINDOWS\ocmsn.log
----a-w 104,632 2008-05-29 17:38:30 C:\WINDOWS\plusoc.log
---ha-w 54,156 2008-05-29 18:42:58 C:\WINDOWS\QTFont.qfn
----a-w 32,400 2008-05-27 19:45:34 C:\WINDOWS\SchedLgU.Txt
----a-w 416,959 2008-05-28 05:44:00 C:\WINDOWS\setupapi.log
----a-w 46,700 2008-05-29 17:38:30 C:\WINDOWS\tabletoc.log
----a-w 422,118 2008-05-29 17:38:30 C:\WINDOWS\tsoc.log
----a-w 4 2008-05-29 18:43:10 C:\WINDOWS\Twain001.Mtx
----a-w 159 2008-05-29 18:43:21 C:\WINDOWS\wiadebug.log
----a-w 49 2008-05-29 18:43:12 C:\WINDOWS\wiaservc.log
----a-w 1,946,447 2008-05-29 18:44:41 C:\WINDOWS\WindowsUpdate.log
----a-w 72,555 2008-05-23 14:45:38 C:\WINDOWS\wmsetup.log

Entries: 35 (33)
Directories: 0 Files: 35
Bytes: 6,853,167 Blocks: 13,402
======C:\WINDOWS\system32=====
----a-w 0 2008-05-28 05:19:16 C:\WINDOWS\System32\clkcnt.txt
----a-w 107,888 2008-05-08 10:26:53 C:\WINDOWS\System32\CmdLineExt.dll
----a-w 33,324 2008-05-29 18:44:21 C:\WINDOWS\System32\Config.MPF
----a-w 1,553,344 2008-05-18 12:31:32 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 84 2008-05-29 18:43:51 C:\WINDOWS\System32\ikhcore.cfg
----a-w 12,632 2008-05-16 09:58:04 C:\WINDOWS\System32\lsdelete.exe
----a-w 143 2008-05-28 22:41:08 C:\WINDOWS\System32\mcrh.tmp
----a-w 72,960 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc009.dat
----a-w 93,218 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc013.dat
----a-w 446,006 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh009.dat
----a-w 514,242 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh013.dat
----a-w 1,140,898 2008-05-28 05:43:35 C:\WINDOWS\System32\PerfStringBackup.INI
------w 96,256 2008-05-28 22:39:12 C:\WINDOWS\System32\quxpvodu.dll
----a-w 827,634 2008-05-27 06:12:36 C:\WINDOWS\System32\RVAXO.bat
------w 29,312 2008-05-28 22:39:13 C:\WINDOWS\System32\urqPiIxY.dll
----a-w 14,336 2008-05-29 18:42:19 C:\WINDOWS\System32\WinCtrl32.dll
----a-w 12,288 2008-05-29 18:42:19 C:\WINDOWS\System32\WLCtrl32.dll
----a-w 13,646 2008-05-18 12:31:16 C:\WINDOWS\System32\wpa.dbl

Entries: 18 (18)
Directories: 0 Files: 18
Bytes: 4,968,211 Blocks: 9,712
======C:\WINDOWS\system32\drivers=====
----a-w 12,960 2008-04-29 09:19:50 C:\WINDOWS\System32\drivers\Awrtpd.sys
----a-w 15,648 2008-04-29 09:19:54 C:\WINDOWS\System32\drivers\Awrtrd.sys
----a-w 29,056 2008-05-28 22:56:22 C:\WINDOWS\System32\drivers\kfN07.sys
----a-w 15,864 2008-05-05 18:46:32 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 27,048 2008-05-05 18:46:36 C:\WINDOWS\System32\drivers\mbamcatchme.sys
----a-w 15,648 2008-04-29 09:20:00 C:\WINDOWS\System32\drivers\NSDriver.sys
----a-w 27,008 2008-05-28 22:10:14 C:\WINDOWS\System32\drivers\Rem07.sys

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 143,232 Blocks: 282
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======D:=====
----a-w 639 2008-05-27 19:58:21 D:\firstrun6.log

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 639 Blocks: 2
======D:\Documenten en settings\Ravish\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Temp======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Documenten en settings\Ravish======
---ha-w 3,407,872 2008-05-29 18:41:31 D:\Documenten en settings\Ravish\NTUSER.DAT
---ha-w 32,768 2008-05-29 18:49:34 D:\Documenten en settings\Ravish\NtUser.dat.LOG
--sh--w 188 2008-05-29 18:41:07 D:\Documenten en settings\Ravish\ntuser.ini
----a-w 600 2008-05-25 15:46:12 D:\Documenten en settings\Ravish\PUTTY.RND

Entries: 4 (1)
Directories: 0 Files: 4
Bytes: 3,441,428 Blocks: 6,723
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

[Satta]

Dit hoort nog eigelijk bij mijn vorige post het gaat om de file C:\WINDOWS\system32\wlctrl32.dll

[smeenk]

We gaan wat proberen.

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

@ECHO OFF
IF EXIST log.txt DEL log.txt
sc stop kfN07
sc delete kfN07
remove C:\WINDOWS\System32\drivers\kfN07.sys C:\RVAXO\kfN07.sys
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\System32\clkcnt.txt
C:\WINDOWS\System32\ikhcore.cfg
C:\WINDOWS\System32\mcrh.tmp
C:\WINDOWS\System32\quxpvodu.dll
C:\WINDOWS\System32\urqPiIxY.dll
C:\WINDOWS\System32\WinCtrl32.dll
C:\WINDOWS\System32\WinCtrl32.dl_
C:\WINDOWS\System32\WLCtrl32.dll
C:\WINDOWS\System32\WLCtrl32.dl_
C:\WINDOWS\System32\drivers\kfN07.sys) DO (
DEL /Q %%gNUCIA
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
REN %%g *NUCIA
IF EXIST %%gNUCIA (
ECHO renamed to %%gNUCIA>>log.txt)
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
sc stop kfN07
sc delete kfN07
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.


Open die map van IceSword, dubbelklik op het "Sword icon" om IceSword te starten.
- Links klik je op file.
- Kies nu deze computer in icesword en navigeer naar dit bestand:

C:\WINDOWS\System32\drivers\kfN07.sys

- Rechtsklik er op en kies voor delete.


Herstart je PC en post een nieuw logje van Hijackthis

[Satta]

Nadat mijn computer was opgestart kreeg ik het volgende bericht COM installeren?? Klopt dit??

Del.bat-log

Deleting files
C:\WINDOWS\System32\clkcnt.txt not found
C:\WINDOWS\System32\ikhcore.cfg not found
C:\WINDOWS\System32\mcrh.tmp not found
C:\WINDOWS\System32\quxpvodu.dll not found
C:\WINDOWS\System32\urqPiIxY.dll not found
C:\WINDOWS\System32\WinCtrl32.dll not found
C:\WINDOWS\System32\WinCtrl32.dl_ not found
C:\WINDOWS\System32\WLCtrl32.dll not found
C:\WINDOWS\System32\WLCtrl32.dl_ not found
C:\WINDOWS\System32\drivers\kfN07.sys not deleted

Hijackhis-log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:40, on 29-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\THOMSO~1\SPEEDT~1\PRISMSVR.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: 818646 helper - {54192079-8E8A-43D8-BCBC-3874916159AF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP OfficeJet T Series Opstartmenu.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204449533890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204455813906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 11521 bytes

[smeenk]

Dubbelklik nog een keer op del.bat en post dat logje.

Maak even een nieuw logje met zoek.exe en post dat ook.

[Satta]

del.bat-log

Deleting files
C:\WINDOWS\System32\clkcnt.txt not found
C:\WINDOWS\System32\ikhcore.cfg deleted
C:\WINDOWS\System32\mcrh.tmp not found
C:\WINDOWS\System32\quxpvodu.dll not found
C:\WINDOWS\System32\urqPiIxY.dll not found
C:\WINDOWS\System32\WinCtrl32.dll not found
C:\WINDOWS\System32\WinCtrl32.dl_ not found
renamed to C:\WINDOWS\System32\WLCtrl32.dllNUCIA
C:\WINDOWS\System32\WLCtrl32.dll deleted
C:\WINDOWS\System32\WLCtrl32.dl_ not found
C:\WINDOWS\System32\drivers\kfN07.sys not found

Zoek-log

======C:\WINDOWS====
----a-w 0 2008-05-29 19:40:47 C:\WINDOWS\0.log
--s-a-w 2,048 2008-05-29 19:39:07 C:\WINDOWS\bootstat.dat
----a-w 309,520 2008-05-29 17:38:30 C:\WINDOWS\comsetup.log
----a-w 51,471 2008-05-29 17:38:30 C:\WINDOWS\ehOCGen.log
----a-w 931,822 2008-05-29 17:38:29 C:\WINDOWS\FaxSetup.log
----a-w 2,334 2008-05-14 17:12:27 C:\WINDOWS\HPOCSS05.INI
----a-w 228 2008-05-25 12:56:27 C:\WINDOWS\HPODJC05.INI
----a-w 551 2008-05-25 12:56:33 C:\WINDOWS\HPOTBX05.INI
----a-w 998,344 2008-05-29 17:38:30 C:\WINDOWS\iis6.log
----a-w 1,374 2008-05-14 11:02:46 C:\WINDOWS\imsins.BAK
----a-w 1,374 2008-05-29 17:38:30 C:\WINDOWS\imsins.log
----a-w 11,096 2008-05-29 17:38:30 C:\WINDOWS\KB932823-v3.log
----a-w 13,651 2008-05-14 11:02:46 C:\WINDOWS\KB950749.log
----a-w 111,803 2008-05-29 17:38:30 C:\WINDOWS\MedCtrOC.log
----a-w 4,246 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Data Modem.txt
----a-w 4,472 2008-05-24 13:16:49 C:\WINDOWS\ModemLog_Sony Ericsson W810 USB WMC Modem.txt
----a-w 45,985 2008-05-29 17:38:30 C:\WINDOWS\msgsocm.log
----a-w 277,790 2008-05-29 17:38:27 C:\WINDOWS\msmqinst.log
----a-w 69 2008-05-19 18:56:48 C:\WINDOWS\NeroDigital.ini
----a-w 173,950 2008-05-29 17:38:30 C:\WINDOWS\netfxocm.log
----a-w 131,724 2008-05-27 19:58:57 C:\WINDOWS\ntbtlog.txt
----a-w 186,199 2008-05-29 17:38:30 C:\WINDOWS\ntdtcsetup.log
----a-w 440,468 2008-05-29 17:38:30 C:\WINDOWS\ocgen.log
----a-w 56,469 2008-05-29 17:38:30 C:\WINDOWS\ocmsn.log
----a-w 104,632 2008-05-29 17:38:30 C:\WINDOWS\plusoc.log
---ha-w 54,156 2008-05-29 19:39:43 C:\WINDOWS\QTFont.qfn
----a-w 32,400 2008-05-27 19:45:34 C:\WINDOWS\SchedLgU.Txt
----a-w 416,959 2008-05-28 05:44:00 C:\WINDOWS\setupapi.log
----a-w 46,700 2008-05-29 17:38:30 C:\WINDOWS\tabletoc.log
----a-w 422,118 2008-05-29 17:38:30 C:\WINDOWS\tsoc.log
----a-w 4 2008-05-29 19:39:53 C:\WINDOWS\Twain001.Mtx
----a-w 159 2008-05-29 19:40:10 C:\WINDOWS\wiadebug.log
----a-w 49 2008-05-29 19:39:56 C:\WINDOWS\wiaservc.log
----a-w 1,966,426 2008-05-29 19:41:22 C:\WINDOWS\WindowsUpdate.log
----a-w 72,555 2008-05-23 14:45:38 C:\WINDOWS\wmsetup.log

Entries: 35 (33)
Directories: 0 Files: 35
Bytes: 6,873,146 Blocks: 13,441
======C:\WINDOWS\system32=====
----a-w 107,888 2008-05-08 10:26:53 C:\WINDOWS\System32\CmdLineExt.dll
----a-w 33,562 2008-05-29 19:41:11 C:\WINDOWS\System32\Config.MPF
----a-w 1,553,344 2008-05-18 12:31:32 C:\WINDOWS\System32\FNTCACHE.DAT
----a-w 12,632 2008-05-16 09:58:04 C:\WINDOWS\System32\lsdelete.exe
----a-w 72,960 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc009.dat
----a-w 93,218 2008-05-28 05:43:36 C:\WINDOWS\System32\perfc013.dat
----a-w 446,006 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh009.dat
----a-w 514,242 2008-05-28 05:43:36 C:\WINDOWS\System32\perfh013.dat
----a-w 1,140,898 2008-05-28 05:43:35 C:\WINDOWS\System32\PerfStringBackup.INI
----a-w 827,634 2008-05-27 06:12:36 C:\WINDOWS\System32\RVAXO.bat
----a-w 12,288 2008-05-29 19:39:06 C:\WINDOWS\System32\WLCtrl32.dllNUCIA
----a-w 13,646 2008-05-18 12:31:16 C:\WINDOWS\System32\wpa.dbl

Entries: 12 (12)
Directories: 0 Files: 12
Bytes: 4,828,318 Blocks: 9,436
======C:\WINDOWS\system32\drivers=====
----a-w 12,960 2008-04-29 09:19:50 C:\WINDOWS\System32\drivers\Awrtpd.sys
----a-w 15,648 2008-04-29 09:19:54 C:\WINDOWS\System32\drivers\Awrtrd.sys
----a-w 15,864 2008-05-05 18:46:32 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 27,048 2008-05-05 18:46:36 C:\WINDOWS\System32\drivers\mbamcatchme.sys
----a-w 15,648 2008-04-29 09:20:00 C:\WINDOWS\System32\drivers\NSDriver.sys
----a-w 27,008 2008-05-28 22:10:14 C:\WINDOWS\System32\drivers\Rem07.sys

Entries: 6 (6)
Directories: 0 Files: 6
Bytes: 114,176 Blocks: 225
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======D:=====
----a-w 639 2008-05-27 19:58:21 D:\firstrun6.log

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 639 Blocks: 2
======D:\Documenten en settings\Ravish\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Temp======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======D:\Documenten en settings\Ravish======
---ha-w 3,407,872 2008-05-29 19:38:12 D:\Documenten en settings\Ravish\NTUSER.DAT
---ha-w 32,768 2008-05-29 19:51:47 D:\Documenten en settings\Ravish\NtUser.dat.LOG
--sh--w 188 2008-05-29 19:37:48 D:\Documenten en settings\Ravish\ntuser.ini
----a-w 600 2008-05-25 15:46:12 D:\Documenten en settings\Ravish\PUTTY.RND

Entries: 4 (1)
Directories: 0 Files: 4
Bytes: 3,441,428 Blocks: 6,723
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

[smeenk]

Misschien dat we hem toch bijna kwijt zijn.

Herstart de computer en dubbelklik na de herstart nog een keer op del.bat.
Post het logje.