Mededeling

Collapse
No announcement yet.

PC terug in steentijdperk

Collapse
X
Collapse
  •  
  • Page of 1
  • Filter
  • Tijd
  • Show
Clear All
new posts
Vorige template Volgende
  • #1

    PC terug in steentijdperk

    PC is super traag geworden sinds het installeren van windows updates.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:53:42, on 22-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\twain.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
    C:\Documents and Settings\Bert\Mijn documenten\Bert\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://breedband.telenet.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Google] C:\WINDOWS\twain.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189951020038
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: FFI - Unknown owner - C:\WINDOWS\system32\svchost.exe:exm.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 7491 bytes
    Labels: Geen
    • Citaat
  • #2
    Iemand die mij kan helpen?
    • Citaat

    Comment

    • #3
      Hallo,
      Het is vooral het opstarten dat super lang duurt. Ik kan de eerste 20minuten niks aanvangen met de pc

      greets
      • Citaat

      Comment

      • #4
        Je logje lijkt me schoon, lijkt me geen malwareprobleem.

        Je zou dit even kunnen proberen:
        Download Dial-a-fix-2006 en pak beide bestanden in hun eigen map uit naar je Bureaublad.
        • In de map Dial-a-fix-v0.60.0.24, dubbelklik op Dial-a-fix.exe
          In het venster dat opengaat, klik onderaan op het icoontje met het dubbele groene vinkje (check all).
          Klik daarna op "GO" en laat de tool alle instellingen terugzetten.
          Sluit dit venster na afloop door onderaan op "Exit" te klikken.
        Meld of dat verbetering geeft.
        • Citaat

        Comment

        • #5
          Heeft niks geholpen. Als ik taakbeheer open duurt het lang en ligt vooral aaan twain.exe. 96%
          • Citaat

          Comment

          • #6
            Scan C:\WINDOWS\twain.exe eens met VirusTotal: http://www.virustotal.com/

            Kopieer de scanresultaten en post deze in je volgende bericht
            • Citaat

            Comment

            • #7
              MD5: c870a63a7020cef8130e0a1a5e75800c
              Datum: 2007.12.27 11:23:49 (CET) [>2D]
              Resultaat: 14/32
              Permalink: resultado.html?b0f0405c7371b7a5e19591a9abeafc82

              Bestand twain.exe ontvangen op 2007.12.27 11:23:49 (CET)
              Huidig status: Laden ... In wachtrij Wachtende Aan het scannen Einde NIET GEVONDEN GESTOPT


              Resultaat: 14/32 (43.75&#37
              Server informatie laden...
              Je bestand is in de wachtrij geplaatst, plaats: ___.
              De gemiddelde starttijd ligt tussen ___ en ___ .
              Laat dit venster open tijdens het scannen.
              De scanner die je bestand aan het verwerken was is gestopt, gelieve enkele seconden te wachten terwijl we proberen je resultaat te herstellen.
              Indien u meer dan 5 minuten wachten dient U uw bestand opnieuw in te sturen.
              Je bestand word op dit moment gescand door VirusTotal,
              De resultaten worden weergegeven zodra ze beschikbaar zijn.
              Geformatteerd Resultaten afdrukken
              Je bestand is vervallen of bestaat niet.
              De dienst is momenteel gestopt, je bestand staat in de wachtrij (plaats: ) voor een onbekende tijd.

              Je kan deze pagina open houden en wachten (automatische refresh) of je kan je e-mailadres hieronder invullen en op "Aanvraag verzenden" klikken zodat je de resultaten per mail ontvangt.
              E-mail:


              Antivirus Versie Laatst geüpdatet Resultaat
              AhnLab-V3 - - -
              AntiVir - - TR/Agent.dlh
              Authentium - - -
              Avast - - -
              AVG - - Agent.MBT
              BitDefender - - -
              CAT-QuickHeal - - Trojan.Agent.dlh
              ClamAV - - -
              DrWeb - - -
              eSafe - - suspicious Trojan/Worm
              eTrust-Vet - - -
              Ewido - - -
              FileAdvisor - - -
              Fortinet - - -
              F-Prot - - -
              F-Secure - - Trojan.Win32.Agent.dlh
              Ikarus - - Trojan.Win32.Agent.dlh
              Kaspersky - - Trojan.Win32.Agent.dlh
              McAfee - - -
              Microsoft - - -
              NOD32v2 - - -
              Norman - - -
              Panda - - Suspicious file
              Prevx1 - - Malware.Sys.Covert
              Rising - - -
              Sophos - - Mal/Heuri-D
              Sunbelt - - Trojan.Win32.Agent.dl
              Symantec - - -
              TheHacker - - Trojan/Agent.dlh
              VBA32 - - Trojan.Win32.Agent.dlh
              VirusBuster - - -
              Webwasher-Gateway - - Trojan.Agent.dlh
              Extra informatie
              MD5: c870a63a7020cef8130e0a1a5e75800c
              • Citaat

              Comment

              • #8
                Toch malware
                Probeer dit:

                Open hijackthis, klik 'config' (rechts onderaan)
                Kies de tab 'misc Tools' bovenaan.
                Kies 'delete a file on reboot'
                In het veld, kopieer en plak het volgend lijntje:

                C:\WINDOWS\twain.exe

                Klik open.
                Hijackthis zal je zeggen dat dit bestand zal verwijderen worden na volgende reboot en of je nu wilt rebooten.
                Klik ja/ok

                Je pc zal nu rebooten.

                Download Combofix naar je Bureaublad.
                Dubbelklik op Combofix.exe
                Kies voor "Continue" door 1 te typen gevolgd door ENTER.
                Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
                Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
                Plaats deze log in je volgende post.

                NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
                • Citaat

                Comment

                • #9
                  ComboFix 07-12-30.1 - Bert 2007-12-30 16:17:10.8 - NTFSx86
                  Gestart vanuit: C:\Documents and Settings\Bert\Bureaublad\ComboFix.exe
                  * Nieuw herstelpunt werd aangemaakt
                  .
                  ADS - svchost.exe: deleted 51712 bytes in 1 streams.

                  (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
                  .

                  C:\WINDOWS\nwan.dat

                  .
                  ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

                  .
                  -------\LEGACY_MICROSOFT_INET_SERVICE
                  -------\Microsoft Inet Service
                  -------\NdisWon


                  (((((((((((((((((((( Bestanden Gemaakt van 2007-11-28 to 2007-12-30 ))))))))))))))))))))))))))))))
                  .

                  2007-12-29 19:16 . 2007-12-30 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
                  2007-12-24 11:14 . 2007-12-29 19:18 <DIR> dr-h----- C:\Documents and Settings\Bert\Onlangs geopend
                  2007-12-22 11:18 . 2007-12-22 11:18 <DIR> d-------- C:\WINDOWS\system32\nl-nl
                  2007-12-22 11:04 . 2007-12-22 11:04 <DIR> d-------- C:\Program Files\MSXML 4.0
                  2007-12-22 10:40 . 2006-08-21 10:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
                  2007-12-22 10:40 . 2006-08-21 10:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
                  2007-12-22 10:40 . 2006-08-21 13:28 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
                  2007-12-22 10:10 . 2007-07-09 14:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
                  2007-12-17 20:40 . 2007-12-17 20:40 <DIR> d-------- C:\WINDOWS\Downloaded Installations
                  2007-12-17 20:33 . 2007-12-17 20:33 <DIR> d-------- C:\Program Files\CCleaner
                  2007-12-17 19:20 . 2007-12-17 19:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
                  2007-12-05 19:36 . 2007-12-22 11:13 <DIR> d--h----- C:\WINDOWS\$hf_mig$
                  2007-12-02 21:01 . 2007-12-02 21:01 <DIR> d-------- C:\Documents and Settings\Bert\DoctorWeb
                  2007-11-23 17:27 . 2007-03-08 16:39 579,072 --a------ C:\WINDOWS\system32\dllcache\user32.dll
                  2007-11-22 08:11 . 2007-11-22 08:11 244 --ah----- C:\sqmnoopt01.sqm
                  2007-11-22 08:11 . 2007-11-22 08:11 232 --ah----- C:\sqmdata01.sqm
                  2007-11-05 09:05 . 2007-11-05 09:05 244 --ah----- C:\sqmnoopt00.sqm
                  2007-11-05 09:05 . 2007-11-05 09:05 232 --ah----- C:\sqmdata00.sqm

                  .
                  ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  2007-12-30 08:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
                  2007-12-24 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                  2007-12-22 07:09 --------- d-----w C:\Documents and Settings\Bert\Application Data\GrabIt
                  2007-12-04 20:50 --------- d-----w C:\Program Files\Norton AntiVirus
                  2007-11-26 18:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
                  2007-11-26 18:25 --------- d-----w C:\Documents and Settings\Bert\Application Data\LimeWirePlus
                  2007-11-13 17:47 --------- d-----w C:\Program Files\Java
                  2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
                  2007-10-29 07:05 20,328 ----a-w C:\Documents and Settings\Bert\Application Data\GDIPFONTCACHEV1.DAT
                  .

                  ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  .
                  REGEDIT4
                  *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03]

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-29 08:24]
                  "Tpwrtray"="TPWRTRAY.EXE" [2002-04-30 13:12 C:\WINDOWS\system32\TPWRTRAY.EXE]
                  "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 13:40]
                  "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-05-03 11:03]
                  "TFNF5"="TFNF5.exe" [2001-09-04 09:29 C:\WINDOWS\system32\TFNF5.exe]
                  "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:32]
                  "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
                  "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]
                  "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 22:05]
                  "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
                  "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u"
                  "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 18:51]
                  "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-15 19:33]
                  "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24]
                  "Google"="C:\WINDOWS\twain.exe"

                  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                  "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03]

                  R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 18:53]
                  R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 19:34]
                  R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 14:27]
                  S2 FFI;FFI;C:\WINDOWS\system32\svchost.exe:exm.exe
                  S3 PCX500;Cisco Wireless LAN Adapters-stuurprogramma;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2004-08-04 06:06]

                  .
                  Inhoud van de 'Gedeelde Taken' map
                  "2007-12-21 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Bert.job"
                  - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
                  .
                  **************************************************************************

                  catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                  Rootkit scan 2007-12-30 16:24:57
                  Windows 5.1.2600 Service Pack 2 NTFS

                  scannen van verborgen processen ...

                  scannen van verborgen autostart items ...

                  scannen van verborgen bestanden ...

                  Scan succesvol afgerond
                  verborgen bestanden: 0

                  **************************************************************************

                  [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FFI]
                  "ImagePath"="C:\WINDOWS\system32\svchost.exe:exm.exe"
                  .
                  Voltooingstijd: 2007-12-30 16:39:24 - machine was rebooted
                  C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 15:39:07
                  • Citaat

                  Comment

                  • #10
                    Download de bijlage: CFScript.txt

                    Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



                    Dit zal ComboFix doen herstarten.
                    Start opnieuw op als daarom gevraagd wordt,
                    en post de inhoud van de Combofix.txt in je volgende antwoord.
                    Post ook een nieuw logje van Hijackthis en vertel of je nog problemen ondervindt
                    Bijgevoegde Bestanden
                    • Citaat

                    Comment

                    • #11
                      ComboFix 07-12-30.1 - Bert 2007-12-31 14:04:44.9 - NTFSx86
                      Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.51 [GMT 1:00]
                      Gestart vanuit: C:\Documents and Settings\Bert\Bureaublad\ComboFix.exe
                      Command switches used :: C:\Documents and Settings\Bert\Bureaublad\cfscript.txt
                      * Nieuw herstelpunt werd aangemaakt

                      FILE
                      C:\WINDOWS\system32\svchost.exe:exm.exe
                      .

                      (((((((((((((((((((( Bestanden Gemaakt van 2007-11-28 to 2007-12-31 ))))))))))))))))))))))))))))))
                      .

                      2007-12-29 19:16 . 2007-12-30 15:01 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
                      2007-12-24 11:14 . 2007-12-31 14:01 <DIR> dr-h----- C:\Documents and Settings\Bert\Onlangs geopend
                      2007-12-22 11:18 . 2007-12-22 11:18 <DIR> d-------- C:\WINDOWS\system32\nl-nl
                      2007-12-22 11:04 . 2007-12-22 11:04 <DIR> d-------- C:\Program Files\MSXML 4.0
                      2007-12-22 10:40 . 2006-08-21 10:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
                      2007-12-22 10:40 . 2006-08-21 10:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
                      2007-12-22 10:40 . 2006-08-21 13:28 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
                      2007-12-22 10:10 . 2007-07-09 14:11 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
                      2007-12-17 20:40 . 2007-12-17 20:40 <DIR> d-------- C:\WINDOWS\Downloaded Installations
                      2007-12-17 20:33 . 2007-12-17 20:33 <DIR> d-------- C:\Program Files\CCleaner
                      2007-12-17 19:20 . 2007-12-17 19:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
                      2007-12-05 19:36 . 2007-12-22 11:13 <DIR> d--h----- C:\WINDOWS\$hf_mig$
                      2007-12-02 21:01 . 2007-12-02 21:01 <DIR> d-------- C:\Documents and Settings\Bert\DoctorWeb
                      2007-11-23 17:27 . 2007-03-08 16:39 579,072 --a------ C:\WINDOWS\system32\dllcache\user32.dll
                      2007-11-22 08:11 . 2007-11-22 08:11 244 --ah----- C:\sqmnoopt01.sqm
                      2007-11-22 08:11 . 2007-11-22 08:11 232 --ah----- C:\sqmdata01.sqm
                      2007-11-05 09:05 . 2007-11-05 09:05 244 --ah----- C:\sqmnoopt00.sqm
                      2007-11-05 09:05 . 2007-11-05 09:05 232 --ah----- C:\sqmdata00.sqm

                      .
                      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      2007-12-30 08:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
                      2007-12-24 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                      2007-12-22 07:09 --------- d-----w C:\Documents and Settings\Bert\Application Data\GrabIt
                      2007-12-04 20:50 --------- d-----w C:\Program Files\Norton AntiVirus
                      2007-11-26 18:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
                      2007-11-26 18:25 --------- d-----w C:\Documents and Settings\Bert\Application Data\LimeWirePlus
                      2007-11-13 17:47 --------- d-----w C:\Program Files\Java
                      2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
                      2007-10-29 07:05 20,328 ----a-w C:\Documents and Settings\Bert\Application Data\GDIPFONTCACHEV1.DAT
                      .

                      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      .
                      REGEDIT4
                      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03]

                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-29 08:24]
                      "Tpwrtray"="TPWRTRAY.EXE" [2002-04-30 13:12 C:\WINDOWS\system32\TPWRTRAY.EXE]
                      "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 13:40]
                      "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-05-03 11:03]
                      "TFNF5"="TFNF5.exe" [2001-09-04 09:29 C:\WINDOWS\system32\TFNF5.exe]
                      "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 16:32]
                      "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
                      "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]
                      "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-07 22:05]
                      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
                      "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 18:51]
                      "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-15 19:33]
                      "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24]

                      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03]

                      R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 18:53]
                      R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-09-26 19:34]
                      R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2002-01-29 14:27]
                      S3 PCX500;Cisco Wireless LAN Adapters-stuurprogramma;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2004-08-04 06:06]

                      .
                      Inhoud van de 'Gedeelde Taken' map
                      "2007-12-21 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Bert.job"
                      - C:\PROGRA~1\NORTON~1\Navw32.exe
                      .
                      **************************************************************************

                      catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                      Rootkit scan 2007-12-31 14:16:09
                      Windows 5.1.2600 Service Pack 2 NTFS

                      scannen van verborgen processen ...

                      scannen van verborgen autostart items ...

                      scannen van verborgen bestanden ...

                      Scan succesvol afgerond
                      verborgen bestanden: 0

                      **************************************************************************
                      .
                      Voltooingstijd: 2007-12-31 14:21:22 - machine was rebooted
                      C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 13:21:09
                      C:\qoobox\ComboFix2.txt 2007-12-30 15:39:25





                      Logfile of Trend Micro HijackThis v2.0.2
                      Scan saved at 14:27:30, on 31-12-2007
                      Platform: Windows XP SP2 (WinNT 5.01.2600)
                      MSIE: Internet Explorer v7.00 (7.00.5730.0013)
                      Boot mode: Normal

                      Running processes:
                      C:\WINDOWS\System32\smss.exe
                      C:\WINDOWS\system32\winlogon.exe
                      C:\WINDOWS\system32\services.exe
                      C:\WINDOWS\system32\lsass.exe
                      C:\WINDOWS\system32\svchost.exe
                      C:\WINDOWS\System32\svchost.exe
                      C:\WINDOWS\system32\spoolsv.exe
                      C:\WINDOWS\Explorer.EXE
                      C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                      C:\Program Files\Common Files\LightScribe\LSSrvc.exe
                      C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                      C:\WINDOWS\System32\00THotkey.exe
                      C:\WINDOWS\system32\TPWRTRAY.EXE
                      C:\Program Files\Apoint2K\Apoint.exe
                      C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
                      C:\WINDOWS\system32\TFNF5.exe
                      C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                      C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                      C:\Program Files\Google\Gmail Notifier\gnotify.exe
                      C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
                      C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
                      C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
                      C:\Program Files\QuickTime\qttask.exe
                      C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                      C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
                      C:\WINDOWS\system32\ctfmon.exe
                      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                      C:\Program Files\Apoint2K\Apntex.exe
                      C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
                      C:\WINDOWS\system32\wscntfy.exe
                      C:\Program Files\Internet Explorer\iexplore.exe
                      C:\Program Files\Messenger\msmsgs.exe
                      C:\Documents and Settings\Bert\Mijn documenten\Bert\HijackThis.exe

                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://breedband.telenet.be/
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
                      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
                      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                      O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                      O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                      O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
                      O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
                      O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
                      O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
                      O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
                      O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                      O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
                      O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
                      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
                      O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
                      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                      O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
                      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
                      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
                      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
                      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
                      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
                      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                      O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189951020038
                      O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                      O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
                      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                      O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
                      O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
                      O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
                      O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                      O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
                      O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
                      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                      O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                      O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

                      --
                      End of file - 7184 bytes



                      Opstarten gebeurt al veel sneller. Kan al sneller beginnen erop te werken. Hopelijk is alles weg ook
                      • Citaat

                      Comment

                      • #12
                        Download ATF cleaner (mirror)(gemaakt door Atribune)

                        Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

                        Dubbelklik op ATF cleaner om het programma te starten.
                        Op het tabblad "Main", plaats je een vinkje bij Select All.
                        Klik op de knop Empty Selected.

                        Het volgende doen als je ook FireFox als browser hebt:
                        Klik op tabblad "Firefox", plaats een vinkje bij Select All.
                        Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                        (dit haalt het vinkje weer weg bij "Firefox saved passwords")
                        Klik op de knop Empty Selected.

                        Het volgende doen als je ook Opera als browser hebt:
                        Klik op tabblad "Opera", plaats een vinkje bij Select All.
                        Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                        Klik op de knop Empty Selected.
                        Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

                        Ga naar Start - Uitvoeren en geef hier het volgende in:
                        Combofix /U
                        Druk daarna op OK.
                        Let op: Er moet een spatie tussen Combofix en /U zitten.

                        Dit zal Combofix deïnstalleren.

                        Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                        Kijk hier hoe je je systeemherstel moet uitschakelen.
                        Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

                        Dan denk ik dat alles weer OK is
                        • Citaat

                        Comment

                        • #13
                          Proleem is opgelost.
                          PC is geformateerd en verkocht
                          • Citaat

                          Comment

                          • #14
                            Oorspronkelijk geplaatst door bertboske Bekijk Berichten
                            Proleem is opgelost.
                            Mooi zo
                            • Citaat

                            Comment

                            Vorige template Volgende
                            Sorry, you are not authorized to view this page
                            Working...
                            X