Download VirtumundoBegone (mirror)
Sla dit op op je bureaublad.

Dubbelklik op VirtumundoBeGone.exe en volg de aanwijzingen.
Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.
Als de fix klaar is, start je de pc opnieuw op.
Plaats de inhoud van het logbestand VBG.TXT, dat nu op je bureaublad staat, hier in je volgende bericht.


Download: RVAXO.exe

• Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
• Open nu de map RVAXO op je bureaublad en dubbeklik RVAXO.cmd
  Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
• Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
  
• Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
  Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
• Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
• Post de inhoud van de logfile in je volgende bericht.

Post ook een nieuw logje van Hijackthis

zo dat is een snelle reactie, bedankt..
nou dit zijn de volgende logs:

VGB:

[12/20/2007, 23:09:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\N\Bureaublad\VirtumundoBeGone.exe" )
[12/20/2007, 23:09:57] - Detected System Information:
[12/20/2007, 23:09:57] - Windows Version: 5.1.2600, Service Pack 2
[12/20/2007, 23:09:57] - Current Username: N (Admin)
[12/20/2007, 23:09:57] - Windows is in NORMAL mode.
[12/20/2007, 23:09:57] - Searching for Browser Helper Objects:
[12/20/2007, 23:09:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/20/2007, 23:09:57] - BHO 2: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[12/20/2007, 23:09:57] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/20/2007, 23:09:57] - BHO 4: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[12/20/2007, 23:09:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/20/2007, 23:09:58] - Checking for HKLM\...\Winlogon\Notify\ifqdqeyl
[12/20/2007, 23:09:58] - Found: HKLM\...\Winlogon\Notify\ifqdqeyl - This is probably Virtumundo.
[12/20/2007, 23:09:58] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[12/20/2007, 23:09:58] - BHO list has been changed! Starting over...
[12/20/2007, 23:09:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/20/2007, 23:09:58] - BHO 2: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[12/20/2007, 23:09:58] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/20/2007, 23:09:58] - BHO 4: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[12/20/2007, 23:09:58] - ALERT: Found MSEvents Object!
[12/20/2007, 23:09:58] - Finished Searching Browser Helper Objects
[12/20/2007, 23:09:58] - *** Detected MSEvents Object
[12/20/2007, 23:09:58] - Trying to remove MSEvents Object...
[12/20/2007, 23:09:59] - Terminating Process: IEXPLORE.EXE
[12/20/2007, 23:10:02] - Terminating Process: RUNDLL32.EXE
[12/20/2007, 23:10:07] - Disabling Automatic Shell Restart
[12/20/2007, 23:10:07] - Terminating Process: EXPLORER.EXE
[12/20/2007, 23:10:07] - Suspending the NT Session Manager System Service
[12/20/2007, 23:10:10] - Terminating Windows NT Logon/Logoff Manager
[12/20/2007, 23:10:11] - Re-enabling Automatic Shell Restart
[12/20/2007, 23:10:11] - File to disable: C:\WINDOWS\system32\ifqdqeyl.dll
[12/20/2007, 23:10:11] - Renaming C:\WINDOWS\system32\ifqdqeyl.dll -> C:\WINDOWS\system32\ifqdqeyl.dll.vir
[12/20/2007, 23:10:11] - File successfully renamed!
[12/20/2007, 23:10:11] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[12/20/2007, 23:10:11] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[12/20/2007, 23:10:11] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[12/20/2007, 23:10:11] - Deleting ATLEvents/MSEvents Registry entries
[12/20/2007, 23:10:11] - Removing HKLM\...\Winlogon\Notify\ifqdqeyl
[12/20/2007, 23:10:11] - Searching for Browser Helper Objects:
[12/20/2007, 23:10:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/20/2007, 23:10:11] - BHO 2: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[12/20/2007, 23:10:11] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/20/2007, 23:10:11] - Finished Searching Browser Helper Objects
[12/20/2007, 23:10:11] - Finishing up...
[12/20/2007, 23:10:11] - A restart is needed.
[12/20/2007, 23:10:15] - Attempting to Restart via STOP error (Blue Screen!)
---------------RVAXO.exe first run-------------

Files found:

C:\WINDOWS\system32\ifqdqeyl.dll.vir
C:\WINDOWS\system32\ifqdqeyl.dllbox
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\mrofinu1188.exe.tmp

Uninstallers Rogue scanners:


Folders Found:

C:\Documents and Settings\N\Application Data\Dcads Advanced Toolbar

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

C:\Documents and Settings\N\Application Data\Dcads Advanced Toolbar
--------------RVAXO.exe finished----------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:19:13, on 20-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Software\ATF Cleaner\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/SITE/xupload/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 5521 bytes


Wederom bedankt, groeten Martijn

Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
Dit zal alles van RVAXO doen verwijderen.

Download Combofix naar je Bureaublad.
Dubbelklik op Combofix.exe
Kies voor "Continue" door 1 te typen gevolgd door ENTER.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

ComboFix 07-12-20.1 - N 2007-12-20 23:37:41.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.278 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\N\Bureaublad\ComboFix.exe
.

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-20 to 2007-12-20 ))))))))))))))))))))))))))))))
.

2007-12-20 22:57 . 2007-12-20 22:57 7,168 --a------ C:\WINDOWS\system32\windows
2007-12-20 21:52 . 2007-12-20 21:52 14,033 --a------ C:\posFFA.tmp
2007-12-20 21:24 . 2007-12-20 21:24 14,033 --a------ C:\posF92.tmp
2007-12-20 21:23 . 2007-12-20 21:24 14,033 --a------ C:\posE13.tmp
2007-12-20 21:15 . 2007-12-20 21:15 14,033 --a------ C:\posDA4.tmp
2007-12-20 20:39 . 2007-12-20 20:40 14,033 --a------ C:\posBBB.tmp
2007-12-20 20:30 . 2007-12-20 20:30 14,033 --a------ C:\pos7B9.tmp
2007-12-19 21:48 . 2007-12-19 21:48 14,033 --a------ C:\pos3E4.tmp
2007-12-19 21:47 . 2007-12-19 21:48 14,033 --a------ C:\pos23.tmp
2007-12-19 21:47 . 2007-12-19 21:47 13,033 --a------ C:\pos1.tmp
2007-12-19 21:47 . 2007-12-19 21:48 12,033 --a------ C:\pos6.tmp
2007-12-19 21:35 . 2007-12-19 21:36 14,033 --a------ C:\pos447.tmp
2007-12-19 20:20 . 2007-12-19 20:20 165,472 --a------ C:\WINDOWS\system32\yamkqftt.dll
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Documents and Settings\N\Application Data\Lavasoft
2007-12-17 20:26 . 2007-12-17 20:26 <DIR> d-------- C:\Downloads
2007-12-17 20:26 . 2007-12-17 20:27 <DIR> d-------- C:\Documents and Settings\N\Application Data\GetRightToGo
2007-12-16 17:55 . 2007-12-17 19:53 962,434 ---hs---- C:\WINDOWS\system32\uaghpxpd.ini
2007-12-15 00:15 . 2007-12-16 17:52 961,536 ---hs---- C:\WINDOWS\system32\soytoqwp.ini
2007-12-13 10:39 . 2007-12-13 10:39 <DIR> d-------- C:\Documents and Settings\N\DoctorWeb
2007-12-12 18:27 . 2007-12-15 00:10 1,072,654 ---hs---- C:\WINDOWS\system32\vvuakgbr.ini
2007-12-11 18:19 . 2007-12-12 18:22 917,133 ---hs---- C:\WINDOWS\system32\usghvkgb.ini
2007-12-09 18:18 . 2007-12-10 18:20 860,005 ---hs---- C:\WINDOWS\system32\wdwroiup.ini
2007-12-08 18:23 . 2007-12-09 17:03 834,760 ---hs---- C:\WINDOWS\system32\rdxibvtp.ini
2007-12-07 18:21 . 2007-12-08 18:22 834,520 ---hs---- C:\WINDOWS\system32\arehbjvw.ini
2007-12-06 18:20 . 2007-12-07 18:21 834,280 ---hs---- C:\WINDOWS\system32\csgfgqhf.ini
2007-11-28 22:30 . 2007-11-28 22:30 <DIR> d-------- C:\Program Files\CopyPod
2007-11-28 22:30 . 2007-11-28 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CopyPod
2007-11-28 22:06 . 2007-12-16 18:01 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-28 21:33 . 2007-11-28 21:37 <DIR> d-------- C:\Documents and Settings\N\Application Data\Dcads Advanced Toolbar
2007-11-25 18:04 . 2007-11-25 18:04 <DIR> d-------- C:\Program Files\iTunes
2007-11-25 18:02 . 2007-12-20 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 18:02 . 2007-11-25 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-25 18:01 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 22:37 --------- d-----w C:\Documents and Settings\N\Application Data\BitTorrent DNA
2007-12-17 19:47 --------- d-----w C:\Program Files\AVPersonal
2007-12-17 19:02 --------- d-----w C:\Documents and Settings\N\Application Data\LimeWirePlus
2007-12-11 19:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-25 17:04 --------- d-----w C:\Program Files\iPod
2007-11-25 17:03 --------- d-----w C:\Program Files\QuickTime
2007-11-25 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 21:51 --------- d-----w C:\Documents and Settings\N\Application Data\Skype
2007-10-28 13:55 --------- d-----w C:\Program Files\Teletekstbrowser
2007-10-25 19:15 --------- d-----w C:\Program Files\Google
2007-10-20 18:13 --------- d-----w C:\Program Files\Skype
2007-10-20 18:13 --------- d-----w C:\Program Files\Common Files\Skype
2007-10-20 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2006-11-07 18:52 17,920 ----a-w C:\Documents and Settings\N\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-09-28 16:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVGCtrl"="C:\Program Files\AVPersonal\AVGNT.exe" [2005-07-29 09:19]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2006-11-02 22:22:04]

R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE" [2005-09-16 11:55]
R3 avgntdw;avgntdw;C:\Program Files\AVPersonal\AVGNTDW.SYS [2005-04-29 07:07]
R3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-09-06 19:59]
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 14:09]
S3 USBVSP;USBVSP;C:\WINDOWS\system32\drivers\Usbvsp.sys

.
Inhoud van de 'Gedeelde Taken' map
"2007-11-25 17:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 23:40:10
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-20 23:41:20
C:\ComboFix2.txt ... 2007-12-20 22:16
C:\ComboFix3.txt ... 2007-12-20 22:10

Ik zie wat vreemde bestandjes, zou je er één willen scannen bij VirusTotal?: http://www.virustotal.com/
C:\posFFA.tmp

Upload het bestand en kopieer het resultaat, plak het scanresultaat in je volgende bericht.

Ik zie nu pas je laatste reactie! Ik zal zodra ik thuis ben weer achter de pc kruipen. Die rare storageprotector is inmiddels wel verdwenen!

thanks.. alvast fijne feestdagen..

gr. martijn

File posFFF.tmp received on 12.24.2007 19:34:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.24 -
Authentium 4.93.8 2007.12.23 -
Avast 4.7.1098.0 2007.12.24 -
AVG 7.5.0.516 2007.12.24 -
BitDefender 7.2 2007.12.24 -
CAT-QuickHeal 9.00 2007.12.24 -
ClamAV 0.91.2 2007.12.24 -
DrWeb 4.44.0.09170 2007.12.24 -
eSafe 7.0.15.0 2007.12.24 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.24 -
FileAdvisor 1 2007.12.24 -
Fortinet 3.14.0.0 2007.12.24 -
F-Prot 4.4.2.54 2007.12.23 -
F-Secure 6.70.13030.0 2007.12.24 -
Ikarus T3.1.1.15 2007.12.24 -
Kaspersky 7.0.0.125 2007.12.24 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.24 -
NOD32v2 2745 2007.12.24 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.24 -
Prevx1 V2 2007.12.24 -
Rising 20.24.02.00 2007.12.24 -
Sophos 4.24.0 2007.12.24 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.24 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 -
VirusBuster 4.3.26:9 2007.12.24 -
Webwasher-Gateway 6.6.2 2007.12.24 -
Additional information
File size: 10033 bytes
MD5: 6f038159674847de4f03b4803f399ffc
SHA1: cd6de175e06f02ad2c2df5780d623d3e4bbf4e97
PEiD: -

Download de bijlage: CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.
Post ook een nieuw logje van Hijackthis en vertel of er nog problemen zijn

ComboFix 07-12-20.1 - N 2007-12-25 14:47:51.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.299 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\N\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\N\Bureaublad\cfscript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\pos1.tmp
C:\pos23.tmp
C:\pos3E4.tmp
C:\pos447.tmp
C:\pos6.tmp
C:\pos7B9.tmp
C:\posBBB.tmp
C:\posDA4.tmp
C:\posE13.tmp
C:\posF92.tmp
C:\posFFA.tmp
C:\WINDOWS\system32\arehbjvw.ini
C:\WINDOWS\system32\csgfgqhf.ini
C:\WINDOWS\system32\rdxibvtp.ini
C:\WINDOWS\system32\soytoqwp.ini
C:\WINDOWS\system32\uaghpxpd.ini
C:\WINDOWS\system32\usghvkgb.ini
C:\WINDOWS\system32\vvuakgbr.ini
C:\WINDOWS\system32\wdwroiup.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\yamkqftt.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos1.tmp
C:\pos23.tmp
C:\pos3E4.tmp
C:\pos447.tmp
C:\pos6.tmp
C:\pos7B9.tmp
C:\posBBB.tmp
C:\posDA4.tmp
C:\posE13.tmp
C:\posF92.tmp
C:\posFFA.tmp
C:\WINDOWS\system32\arehbjvw.ini
C:\WINDOWS\system32\csgfgqhf.ini
C:\WINDOWS\system32\rdxibvtp.ini
C:\WINDOWS\system32\soytoqwp.ini
C:\WINDOWS\system32\uaghpxpd.ini
C:\WINDOWS\system32\usghvkgb.ini
C:\WINDOWS\system32\vvuakgbr.ini
C:\WINDOWS\system32\wdwroiup.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\yamkqftt.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-11-25 to 2007-12-25 ))))))))))))))))))))))))))))))
.

2007-12-25 13:07 . 2007-12-25 13:07 <DIR> d-------- C:\Program Files\CopyPod
2007-12-25 10:19 . 2007-12-25 10:19 <DIR> d-------- C:\Program Files\Red Kawa
2007-12-25 10:19 . 2007-12-25 10:19 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-25 10:09 . 2007-12-25 10:11 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-24 19:47 . 2007-12-24 19:50 <DIR> d-------- C:\Program Files\FTDv3.8
2007-12-20 21:53 . 2007-12-20 21:53 14,033 --a------ C:\pos1187.tmp
2007-12-20 21:52 . 2007-12-20 21:52 14,033 --a------ C:\posFEF.tmp
2007-12-20 21:24 . 2007-12-20 21:24 14,033 --a------ C:\posF7A.tmp
2007-12-20 21:23 . 2007-12-20 21:24 14,033 --a------ C:\posE04.tmp
2007-12-20 21:15 . 2007-12-20 21:15 14,033 --a------ C:\posDA2.tmp
2007-12-20 20:39 . 2007-12-20 20:40 14,033 --a------ C:\posBBA.tmp
2007-12-20 20:30 . 2007-12-20 20:30 14,033 --a------ C:\pos7B6.tmp
2007-12-19 21:48 . 2007-12-19 21:48 14,033 --a------ C:\pos3E1.tmp
2007-12-19 21:36 . 2007-12-19 21:36 14,033 --a------ C:\pos5DE.tmp
2007-12-19 21:35 . 2007-12-19 21:36 14,033 --a------ C:\pos441.tmp
2007-12-19 20:20 . 2007-12-19 20:20 14,033 --a------ C:\posFE.tmp
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Documents and Settings\N\Application Data\Lavasoft
2007-12-17 20:26 . 2007-12-17 20:26 <DIR> d-------- C:\Downloads
2007-12-17 20:26 . 2007-12-17 20:27 <DIR> d-------- C:\Documents and Settings\N\Application Data\GetRightToGo
2007-12-13 10:39 . 2007-12-13 10:39 <DIR> d-------- C:\Documents and Settings\N\DoctorWeb
2007-11-28 22:30 . 2007-11-28 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CopyPod
2007-11-28 22:06 . 2007-12-25 11:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-28 21:33 . 2007-11-28 21:37 <DIR> d-------- C:\Documents and Settings\N\Application Data\Dcads Advanced Toolbar
2007-11-25 18:04 . 2007-11-25 18:04 <DIR> d-------- C:\Program Files\iTunes
2007-11-25 18:02 . 2007-12-25 12:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-25 18:02 . 2007-11-25 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-25 18:01 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 13:42 --------- d-----w C:\Documents and Settings\N\Application Data\BitTorrent DNA
2007-12-21 19:50 --------- d-----w C:\Documents and Settings\N\Application Data\LimeWirePlus
2007-12-17 19:47 --------- d-----w C:\Program Files\AVPersonal
2007-12-11 19:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-25 17:04 --------- d-----w C:\Program Files\iPod
2007-11-25 17:03 --------- d-----w C:\Program Files\QuickTime
2007-11-25 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-02 21:51 --------- d-----w C:\Documents and Settings\N\Application Data\Skype
2007-10-28 13:55 --------- d-----w C:\Program Files\Teletekstbrowser
2007-10-25 19:15 --------- d-----w C:\Program Files\Google
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2006-11-07 18:52 17,920 ----a-w C:\Documents and Settings\N\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-09-28 16:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVGCtrl"="C:\Program Files\AVPersonal\AVGNT.exe" [2005-07-29 09:19]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2006-11-02 22:22:04]

R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE" [2005-09-16 11:55]
R3 avgntdw;avgntdw;C:\Program Files\AVPersonal\AVGNTDW.SYS [2005-04-29 07:07]
R3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-09-06 19:59]
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 14:09]
S3 USBVSP;USBVSP;C:\WINDOWS\system32\drivers\Usbvsp.sys

.
Inhoud van de 'Gedeelde Taken' map
"2007-11-25 17:02:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 14:51:45
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-25 14:52:29
C:\ComboFix2.txt ... 2007-12-20 23:41
C:\ComboFix3.txt ... 2007-12-20 22:16

Verwijder de volgende map:
C:\Qoobox

Maak dan je prullenbak leeg.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Ga naar Start - Uitvoeren en geef hier het volgende in:
Combofix /U
Druk daarna op OK.
Let op: Er moet een spatie tussen Combofix en /U zitten.

Dit zal Combofix deïnstalleren.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Ondervind je nog problemen?

Het werkt allemaal weer naar behoren! thanx..

Gr. Martijn

Graag gedaan hoor