Download: RVAXO.exe

• Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
• Open nu de map RVAXO op je bureaublad en dubbeklik RVAXO.cmd
  Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
• Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
  
• Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
  Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
• Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
• Post de inhoud van de logfile in je volgende bericht.

Download Combofix naar je Bureaublad.
Dubbelklik op Combofix.exe
Kies voor "Continue" door 1 te typen gevolgd door ENTER.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post.

Ik kon de logs hier niet neerzetten.. deze waren te groot. Dus even bijgevoegd in een bijlage (als het goed is gegaan)

Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd

Download de bijlage: CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.

Post ook een nieuw logje van Hijackthis en vertel ook of er nog problemen zijn.

Voor zover ik weet, verder geen problemen meer. Maar of xs4all dit ook vind, is nog niet zeker.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{923792ED-A957-4F84-8220-9C8BD97B243A}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:15]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"Camfrog"="C:\Program Files\Camfrog\Camfrog Video Chat3.94\CamfrogNet.exe" [2003-09-29 07:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-06-16 03:33 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-10 19:33 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 13:08 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-25 11:01:21]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 UNPR;UNPR;C:\WINDOWS\system32\unpr.sys [2007-11-11 10:28]
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-03-30 19:18]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 04:38]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-08-11 03:38]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 12:11:01
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

C:\WINDOWS\system32\*kaïÐ:V€Ôkaï 40960 bytes executable

Scan succesvol afgerond
verborgen bestanden: 1

**************************************************************************
.
Voltooingstijd: 2007-12-23 12:12:33
C:\ComboFix2.txt ... 2007-12-22 23:51
C:\ComboFix3.txt ... 2007-10-27 10:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:48, on 23-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Camfrog\Camfrog Video Chat3.94\Camfrog Video Chat.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about: blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www.proxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {923792ED-A957-4F84-8220-9C8BD97B243A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat3.94\CamfrogNet.exe" 1 C:\Program Files\Camfrog\Camfrog Video Chat3.94\Camfrog Video Chat.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://crazyslut013.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {64E27CFB-8B69-4B83-80F0-36A81437D587} (CamfrogWEB Basic Control) - http://activex.camfrogweb.com/basic/cfweb_activex.camfrogweb.com-basic_instmodule.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://fotogoodies.foto.com/activex/SpeedUploader.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7837 bytes

Probeer even een volledig logje van Combofix te posten, bij je laatste ontbreekt de bovenste helft

K vond em al zo kort.. Maar goed.. hier de volledige log

ComboFix 07-12-22.1 - Nienke013 2007-12-23 12:04:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.76 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Nienke013\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nienke013\Bureaublad\cfscript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\WINDOWS\system32\devozd.exe
C:\WINDOWS\system32\xaoathnr.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\devozd.exe
C:\WINDOWS\system32\xaoathnr.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))
.

2007-12-21 23:16 . 2007-12-21 23:16 45 --a------ C:\WINDOWS\system32\delrvaxo.bat
2007-12-21 16:31 . 2007-12-21 16:31 92 --a------ C:\WINDOWS\wininit.ini
2007-12-21 15:06 . 2007-04-25 10:32 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Sjablonen
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Onlangs geopend
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Netwerkprinteromgeving
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Mijn documenten
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> dr------- C:\Documents and Settings\Administrator.NIENKE\Menu Start
2007-12-21 15:06 . 2007-12-21 15:28 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Favorieten
2007-12-21 15:06 . 2007-12-21 15:42 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Bureaublad
2007-12-19 20:10 . 2007-12-21 15:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-19 20:10 . 2007-12-19 20:10 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\PC Tools
2007-12-19 20:10 . 2007-12-19 20:24 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-19 20:10 . 2007-12-19 20:24 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-19 20:10 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-19 20:10 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-19 20:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-19 00:20 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-12-19 00:20 . 2007-12-19 00:20 13,824 --a------ C:\WINDOWS\system32\drivers\splitcam.sys
2007-12-13 16:26 . 2007-12-13 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:37 . 2007-12-12 22:40 <DIR> d-------- C:\Program Files\SurfAnonymous3
2007-12-12 22:30 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\SurfAnonymous2
2007-12-12 22:16 . 2007-12-12 22:17 <DIR> d-------- C:\Program Files\SurfAnonymous
2007-12-12 21:34 . 2007-12-12 21:53 <DIR> d-------- C:\Documents and Settings\Administrator\Sjablonen
2007-12-12 16:33 . 2007-12-21 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 15:14 . 2007-12-12 22:01 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-12-08 18:02 . 2007-12-08 18:02 <DIR> d-------- C:\Program Files\IceOp
2007-12-08 18:02 . 2007-12-08 18:02 1,538,741 --a------ C:\WINDOWS\IceOp Uninstaller.exe
2007-12-08 01:12 . 2007-12-08 01:12 <DIR> d-------- C:\Program Files\Bonjour
2007-11-30 21:50 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\Incomplete
2007-11-30 21:50 . 2007-11-30 21:50 <DIR> d-------- C:\Documents and Settings\Nienke013\Incomplete
2007-11-30 21:49 . 2007-11-30 22:14 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\LimeWire
2007-11-30 21:48 . 2007-11-30 22:47 <DIR> d-------- C:\Program Files\LimeWire
2007-11-30 17:32 . 2007-12-11 22:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-30 17:32 . 2007-11-30 17:32 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\QuickTime
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-26 21:39 . 2007-11-26 21:39 <DIR> d-------- C:\Program Files\BitTorrent
2007-11-26 21:39 . 2007-11-26 21:47 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\BitTorrent

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 10:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 07:38 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\Camfrog
2007-12-18 23:20 --------- d-----w C:\Program Files\SplitCam
2007-12-12 21:08 --------- d-----w C:\Program Files\ICE
2007-12-10 15:09 --------- d-----w C:\Program Files\FlashFXP
2007-12-09 17:15 --------- d-----w C:\Program Files\Camfrog
2007-12-08 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-30 20:45 --------- d-----w C:\Program Files\Java
2007-11-21 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:41 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\FlashFXP
2007-11-16 14:59 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-11-16 14:59 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\teamspeak2
2007-11-14 21:03 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\TextPad
2007-11-14 20:57 --------- d-----w C:\Program Files\TextPad 4
2007-11-14 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-14 15:46 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-11-09 12:35 42,092 ----a-w C:\Documents and Settings\Nienke013\Application Data\mdbu.bin
2007-11-07 13:10 --------- d-----w C:\Program Files\Foto's KimmY En Mij
2007-10-30 17:35 --------- d-----w C:\Program Files\aMSN
2007-10-29 18:27 --------- d-----w C:\Program Files\FTDv3.81
2007-10-25 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-25 12:50 --------- d-----w C:\Program Files\foto's
2007-10-24 15:51 --------- d-----w C:\Program Files\Tools
2007-09-28 20:16 76 ---ha-w C:\Program Files\Desktop.ini
2007-06-14 21:40 5,156,028 ----a-w C:\Program Files\camfrog.zip
2007-05-24 14:12 5,184,912 ----a-w C:\Program Files\camfrog.exe
2007-05-20 15:21 977,789 ----a-w C:\Program Files\mo_fredo.zip
2007-05-20 15:21 419,436 ----a-w C:\Program Files\mo_suz.zip
2007-05-20 15:21 404,287 ----a-w C:\Program Files\mo_olivier.zip
2007-05-20 15:20 507,032 ----a-w C:\Program Files\pm_serie2.zip
2007-05-20 15:20 325,043 ----a-w C:\Program Files\pm_cath.zip
2007-05-20 15:20 306,539 ----a-w C:\Program Files\pm_arbres.zip
2007-05-20 15:20 262,916 ----a-w C:\Program Files\pm_dany.zip
2007-05-20 15:20 2,673,806 ----a-w C:\Program Files\pm_mifo.zip
2007-05-20 15:20 193,415 ----a-w C:\Program Files\mo_steph.zip
2007-05-20 15:20 101,561 ----a-w C:\Program Files\pm_jb.zip
2007-05-02 19:50 2,876,616 ----a-w C:\Program Files\pfs-setup-en.exe
2007-04-26 20:26 3,981,497 ----a-w C:\Program Files\aMSN-0.96-3-windows-installer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-22_23.49.48.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-22 22:46:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-23 10:56:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-22 22:46:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2007-12-23 10:56:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
- 2007-12-22 22:46:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-23 10:56:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{923792ED-A957-4F84-8220-9C8BD97B243A}]
C:\WINDOWS\system32\vtsqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:15]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"Camfrog"="C:\Program Files\Camfrog\Camfrog Video Chat3.94\CamfrogNet.exe" [2003-09-29 07:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-06-16 03:33 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-10 19:33 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 13:08 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-25 11:01:21]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 UNPR;UNPR;C:\WINDOWS\system32\unpr.sys [2007-11-11 10:28]
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-03-30 19:18]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 04:38]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-08-11 03:38]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 12:11:01
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

C:\WINDOWS\system32\*kaïÐ:V€Ôkaï 40960 bytes executable

Scan succesvol afgerond
verborgen bestanden: 1

**************************************************************************
.
Voltooingstijd: 2007-12-23 12:12:33
C:\ComboFix2.txt ... 2007-12-22 23:51
C:\ComboFix3.txt ... 2007-10-27 10:14

Start HijackThis nog een keer, kies voor "Do a system scan only" en plaats alleen een vinkje voor de volgende regel:
O2 - BHO: (no name) - {923792ED-A957-4F84-8220-9C8BD97B243A} - C:\WINDOWS\system32\vtsqq.dll (file missing)
Sluit alle open vensters(behalve HijackThis), klik daarna op "Fix checked" en sluit HijackThis af.

Verwijder de volgende map:
C:\Qoobox

Maak dan je prullenbak leeg.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Ga naar Start - Uitvoeren en geef hier het volgende in:
Combofix /U
Druk daarna op OK.
Let op: Er moet een spatie tussen Combofix en /U zitten.

Dit zal Combofix deïnstalleren.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Post als laatste nog een nieuw logje van Hijackthis ter controle

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:35:06, on 23-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Camfrog\Camfrog Video Chat3.94\Camfrog Video Chat.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about: blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www.proxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Camfrog\Camfrog Video Chat3.94\CamfrogNet.exe" 1 C:\Program Files\Camfrog\Camfrog Video Chat3.94\Camfrog Video Chat.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://crazyslut013.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {64E27CFB-8B69-4B83-80F0-36A81437D587} (CamfrogWEB Basic Control) - http://activex.camfrogweb.com/basic/cfweb_activex.camfrogweb.com-basic_instmodule.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://fotogoodies.foto.com/activex/SpeedUploader.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 7728 bytes

Zou je het volgende bestand nog even willen scannen met VirusTotal?: http://www.virustotal.com/
C:\WINDOWS\system32\unpr.sys

Upload het bestand en wacht geduldig op het scanresultaat.
Kopieer het scanresultaat en post dat in je volgende bericht

Dit bestand is reeds gescanned:
MD5: 4bc149d90bb94a2ee09ae6d5153932ad
Datum: 2007.12.01 01:26:38 (CET) [>21D]
Resultaat: 18/32
Permalink: resultado.html?8a9179fa81447d1389681b2f5de7e491

K heb die Permalink aangeklikt, daar kwam dit te staan:

Antivirus Versie Laatst geüpdatet Resultaat
AhnLab-V3 - - -
AntiVir - - TR/Killav.CN.3
Authentium - - -
Avast - - -
AVG - - Generic9.UIO
BitDefender - - Trojan.Rootkit.Virtob.A
CAT-QuickHeal - - Trojan.KillAV.cn
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - Trojan.KillAV.cn
FileAdvisor - - -
Fortinet - - W32/KillAV.CN!tr
F-Prot - - -
F-Secure - - Trojan.Win32.KillAV.cn
Ikarus - - Trojan.Win32.KillAV.CN
Kaspersky - - Trojan.Win32.KillAV.cn
McAfee - - -
Microsoft - - Trojan:Win32/Killav.KB
NOD32v2 - - Win32/KillAV.NBU
Norman - - W32/Killav.ADY
Panda - - -
Prevx1 - - Rootkit.Rustock.gen
Rising - - -
Sophos - - Troj/KillAV-EC
Sunbelt - - Trojan.Rootkit.Virtob.A
Symantec - - -
TheHacker - - Trojan/KillAV.cn
VBA32 - - Trojan.Win32.KillAV.cn
VirusBuster - - -
Webwasher-Gateway - - Trojan.Killav.CN.3
Extra informatie
MD5: 4bc149d90bb94a2ee09ae6d5153932ad

Geen idee of dat er bij moest, maar voor de zekerheid maar wel gedaan

Die moet er ook nog uit.

Download Combofix opnieuw naar je Bureaublad.

Download de bijlage: CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.

ComboFix 07-12-23.1 - Nienke013 2007-12-23 10:56:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.137 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Nienke013\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nienke013\Bureaublad\cfscript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\WINDOWS\system32\unpr.sys
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\unpr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SETUPNTGLM7X
-------\LEGACY_UNPR
-------\SetupNTGLM7X
-------\UNPR


(((((((((((((((((((( Bestanden Gemaakt van 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))
.

2007-12-21 23:16 . 2007-12-21 23:16 45 --a------ C:\WINDOWS\system32\delrvaxo.bat
2007-12-21 16:31 . 2007-12-21 16:31 92 --a------ C:\WINDOWS\wininit.ini
2007-12-21 15:06 . 2007-04-25 10:32 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Sjablonen
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Onlangs geopend
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d--h----- C:\Documents and Settings\Administrator.NIENKE\Netwerkprinteromgeving
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Mijn documenten
2007-12-21 15:06 . 2007-04-25 12:26 <DIR> dr------- C:\Documents and Settings\Administrator.NIENKE\Menu Start
2007-12-21 15:06 . 2007-12-21 15:28 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Favorieten
2007-12-21 15:06 . 2007-12-21 15:42 <DIR> d-------- C:\Documents and Settings\Administrator.NIENKE\Bureaublad
2007-12-19 20:10 . 2007-12-21 15:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-19 20:10 . 2007-12-19 20:10 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\PC Tools
2007-12-19 20:10 . 2007-12-19 20:24 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-19 20:10 . 2007-12-19 20:24 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-19 20:10 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-19 20:10 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-19 20:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-19 00:20 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2007-12-19 00:20 . 2007-12-19 00:20 13,824 --a------ C:\WINDOWS\system32\drivers\splitcam.sys
2007-12-13 16:26 . 2007-12-13 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:37 . 2007-12-12 22:40 <DIR> d-------- C:\Program Files\SurfAnonymous3
2007-12-12 22:30 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\SurfAnonymous2
2007-12-12 22:16 . 2007-12-12 22:17 <DIR> d-------- C:\Program Files\SurfAnonymous
2007-12-12 21:34 . 2007-12-12 21:53 <DIR> d-------- C:\Documents and Settings\Administrator\Sjablonen
2007-12-12 16:33 . 2007-12-21 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 15:14 . 2007-12-12 22:01 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-12-08 18:02 . 2007-12-08 18:02 <DIR> d-------- C:\Program Files\IceOp
2007-12-08 18:02 . 2007-12-08 18:02 1,538,741 --a------ C:\WINDOWS\IceOp Uninstaller.exe
2007-12-08 01:12 . 2007-12-08 01:12 <DIR> d-------- C:\Program Files\Bonjour
2007-11-30 21:50 . 2007-11-30 22:14 <DIR> d-------- C:\Program Files\Incomplete
2007-11-30 21:50 . 2007-11-30 21:50 <DIR> d-------- C:\Documents and Settings\Nienke013\Incomplete
2007-11-30 21:49 . 2007-11-30 22:14 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\LimeWire
2007-11-30 21:48 . 2007-11-30 22:47 <DIR> d-------- C:\Program Files\LimeWire
2007-11-30 17:32 . 2007-12-11 22:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-30 17:32 . 2007-11-30 17:32 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\QuickTime
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-30 17:30 . 2007-11-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-26 21:39 . 2007-11-26 21:39 <DIR> d-------- C:\Program Files\BitTorrent
2007-11-26 21:39 . 2007-11-26 21:47 <DIR> d-------- C:\Documents and Settings\Nienke013\Application Data\BitTorrent

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 10:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 07:38 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\Camfrog
2007-12-18 23:20 --------- d-----w C:\Program Files\SplitCam
2007-12-12 21:08 --------- d-----w C:\Program Files\ICE
2007-12-10 15:09 --------- d-----w C:\Program Files\FlashFXP
2007-12-09 17:15 --------- d-----w C:\Program Files\Camfrog
2007-12-08 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-30 20:45 --------- d-----w C:\Program Files\Java
2007-11-21 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-17 19:41 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\FlashFXP
2007-11-16 14:59 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-11-16 14:59 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\teamspeak2
2007-11-14 21:03 --------- d-----w C:\Documents and Settings\Nienke013\Application Data\TextPad
2007-11-14 20:57 --------- d-----w C:\Program Files\TextPad 4
2007-11-14 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-14 15:46 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-11-09 12:35 42,092 ----a-w C:\Documents and Settings\Nienke013\Application Data\mdbu.bin
2007-11-07 13:10 --------- d-----w C:\Program Files\Foto's KimmY En Mij
2007-10-30 17:35 --------- d-----w C:\Program Files\aMSN
2007-10-29 18:27 --------- d-----w C:\Program Files\FTDv3.81
2007-10-25 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-25 12:50 --------- d-----w C:\Program Files\foto's
2007-10-24 15:51 --------- d-----w C:\Program Files\Tools
2007-09-28 20:16 76 ---ha-w C:\Program Files\Desktop.ini
2007-06-14 21:40 5,156,028 ----a-w C:\Program Files\camfrog.zip
2007-05-24 14:12 5,184,912 ----a-w C:\Program Files\camfrog.exe
2007-05-20 15:21 977,789 ----a-w C:\Program Files\mo_fredo.zip
2007-05-20 15:21 419,436 ----a-w C:\Program Files\mo_suz.zip
2007-05-20 15:21 404,287 ----a-w C:\Program Files\mo_olivier.zip
2007-05-20 15:20 507,032 ----a-w C:\Program Files\pm_serie2.zip
2007-05-20 15:20 325,043 ----a-w C:\Program Files\pm_cath.zip
2007-05-20 15:20 306,539 ----a-w C:\Program Files\pm_arbres.zip
2007-05-20 15:20 262,916 ----a-w C:\Program Files\pm_dany.zip
2007-05-20 15:20 2,673,806 ----a-w C:\Program Files\pm_mifo.zip
2007-05-20 15:20 193,415 ----a-w C:\Program Files\mo_steph.zip
2007-05-20 15:20 101,561 ----a-w C:\Program Files\pm_jb.zip
2007-05-02 19:50 2,876,616 ----a-w C:\Program Files\pfs-setup-en.exe
2007-04-26 20:26 3,981,497 ----a-w C:\Program Files\aMSN-0.96-3-windows-installer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:15]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"Camfrog"="C:\Program Files\Camfrog\Camfrog Video Chat3.94\CamfrogNet.exe" [2003-09-29 07:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-06-16 03:33 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-10 19:33 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-23 13:08 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-25 11:01:21]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-03-30 19:18]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 04:38]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-08-11 03:38]

.

Ziet er goed uit

Ga naar Start - Uitvoeren en geef het volgende in:
Combofix /u
Druk op OK.

Dit zal Combofix opnieuw doen verwijderen.

Zou je het volgende ook nog even willen doen?

Start - Uitvoeren en hier de volgende regel ingeven:
start notepad.exe C:\WINDOWS\system32\delrvaxo.bat
Druk op OK.

Er opent een kladblokbestand, post de inhoud

Hmm.. dat laatste heb ik geprobeerd, ik krijg de volgende melding:

" Windows kan het bestand start niet vinden. Controleer of u de naam juist hebt ingevoerd en probeer het daarna opnieuw. Klik als u naar een bestand wilt zoeken op de knop Start en daarna op Zoeken. "

start notepad.exe C:\windows\system32\delrvaxo.bat

Zo heb ik het ingevoerd..