Mededeling

Collapse
No announcement yet.

SHeur

Collapse
X
Collapse
  •  
  • Page of 3
  • Filter
  • Tijd
  • Show
Clear All
new posts
Vorige 1 2 3 template Volgende
  • #1

    SHeur

    Mijn zoon heeft een virus, of trojan horse, o.i.d.: SHeur.ALBZ. Hij heeft het geinfecteerde file, (althans de virusscanner heeft dat gedaan) in de virus vault geplaatst. Nu kan hij (1) niet meer internet op (vandaar dat ik dit voor hem meld) en (2) zijn firewall niet meer aan de gang krijgen. Hij heeft ook een filenaam melding: hpzmsi01s.exe.

    Hieronder het HijackThis.log

    Alvast zeer bedankt voor de hulp.

    Jan van Gastel
    ----------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 12:44:31, on 13-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\HP_Eigenaar\Bureaublad\HiJackThis_v2.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AlcxMonitor] (disable) ALCXMNTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [0e27b736sjq] C:\WINDOWS\system32\0e27b736sjq.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [0e27b736sjq] C:\WINDOWS\system32\0e27b736sjq.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
    O20 - Winlogon Notify: nmnteghq - C:\WINDOWS\SYSTEM32\dmstylej.dll
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 6757 bytes

    --------------------------------------------------------------
    Labels: Geen
    • Citaat
  • #2
    Dag Jan,

    Je gebruikt een oude versie van HijackThis. Best dat je eerst update naar de nieuwste versie: http://www.trendsecure.com/portal/en...HJTInstall.exe


    Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll
    O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll
    O4 - HKLM\..\Run: [AlcxMonitor] (disable) ALCXMNTR.EXE
    O4 - HKLM\..\Run: [0e27b736sjq] C:\WINDOWS\system32\0e27b736sjq.exe
    O4 - HKCU\..\Run: [0e27b736sjq] C:\WINDOWS\system32\0e27b736sjq.exe
    O20 - Winlogon Notify: nmnteghq - C:\WINDOWS\SYSTEM32\dmstylej.dll

    Klik daarna op "Fix checked" en sluit HijackThis af.


    Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Plaats het op je bureaublad.
    Dubbelklik er op om het programma te starten.
    In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
    Volg de instructies op het scherm.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
    • Citaat

    Comment

    • #3
      Hallo...

      Met alle respect..nu snap ik het niet goed meer. Ik kreeg eerst een methode, zoals hierboven, toen een andere, waarbij een nieuwe versie van HijachThis moet worden geinstalleerd waarin enkele zaken moeten worden aangevinkt en gefixt. Daarna zou Combifix gebruikt moeten worden.

      Ik ben begonnen met het tweede advies, omdat ik ervan uitging dat dat het eerste overrule-de. Wat tot nu toe is gebeurd, is:
      1. Nwe versie HijackThis geinstalleerd.
      2. De in het bovenvermelde advies aangegeven items 'gefixt'.
      Combifix is nog niet gebruikt.

      Hieronder een nieuw HijackThis log.

      -----------------------------------
      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 17:49:06, on 13-1-2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16574)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Ahead\InCD\InCDsrv.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\System32\hkcmd.exe
      C:\WINDOWS\AGRSMMSG.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
      C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
      C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
      C:\WINDOWS\system32\wdfmgr.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\WINDOWS\System32\wbem\wmiprvse.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
      O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll
      O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
      O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
      O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
      O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
      O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
      O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
      O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
      O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
      O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
      O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
      O20 - Winlogon Notify: nmnteghq - C:\WINDOWS\SYSTEM32\dmstylej.dll
      O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
      O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
      O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
      O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
      O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

      --
      End of file - 6261 bytes
      • Citaat

      Comment

      • #4
        Logje naar juiste topic verplaatst
        • Citaat

        Comment

        • #5
          Ik begrijp helemaal niet wat je bedoelt Jan.
          Voer de instructies uit die ik gegeven heb.
          • Citaat

          Comment

          • #6
            Marckie,

            Hierbij het nieuwe HijackThis log en het Combifix log

            Jan.

            -----------------------------------

            Logfile of Trend Micro HijackThis v2.0.0 (BETA)
            Scan saved at 0:18:18, on 15-1-2008
            Platform: Windows XP SP2 (WinNT 5.01.2600)
            Boot mode: Normal

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\Program Files\Ahead\InCD\InCDsrv.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\Explorer.EXE
            C:\WINDOWS\System32\hkcmd.exe
            C:\WINDOWS\AGRSMMSG.exe
            C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
            C:\Program Files\iTunes\iTunesHelper.exe
            C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
            C:\WINDOWS\system32\ctfmon.exe
            C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
            C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
            C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
            C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
            C:\Program Files\iPod\bin\iPodService.exe
            C:\WINDOWS\system32\wuauclt.exe
            C:\WINDOWS\system32\wscntfy.exe
            C:\Documents and Settings\HP_Eigenaar\Bureaublad\HiJackThis_v2.exe

            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
            O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
            O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll
            O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
            O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll
            O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
            O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe
            O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
            O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
            O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
            O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
            O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
            O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
            O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
            O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
            O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
            O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
            O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
            O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
            O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
            O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
            O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
            O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
            O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
            O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
            O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
            O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
            O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
            O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
            O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
            O20 - Winlogon Notify: nmnteghq - C:\WINDOWS\SYSTEM32\dmstylej.dll
            O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
            O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
            O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
            O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
            O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
            O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
            O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
            O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

            --
            End of file - 6141 bytes

            -----------------------------------------------

            ComboFix 08-01-13.1 - HP_Eigenaar 2008-01-15 0:08:41.1 - NTFSx86
            Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.242 [GMT 1:00]
            Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Bureaublad\ComboFix.exe
            * Nieuw herstelpunt werd aangemaakt
            .

            (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
            .

            D:\Autorun.inf
            C:\WINDOWS\system32\dmstylej.dll . . . . konden niet verwijderd worden

            .
            ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

            .
            -------\LEGACY_GNJVVNSU
            -------\gnjvvnsu


            (((((((((((((((((((( Bestanden Gemaakt van 2007-12-14 to 2008-01-14 ))))))))))))))))))))))))))))))
            .

            2008-01-15 00:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
            2008-01-13 17:37 . 2008-01-13 17:37 <DIR> d-------- C:\Program Files\Trend Micro
            2008-01-13 05:14 . 2008-01-13 05:14 120,576 --a------ C:\WINDOWS\system32\ocwvllma.dat
            2008-01-13 05:08 . 19,584 C:\WINDOWS\system32\drivers\ktqxvwbc.dat
            2008-01-13 05:07 . 2008-01-15 00:10 83,968 --a------ C:\WINDOWS\system32\dmstylej.dll
            2008-01-13 05:07 . 2005-07-26 05:42 83,968 --a------ C:\WINDOWS\system32\catsrvj.dll
            2008-01-13 05:07 . 2004-09-09 10:42 15,872 --a------ C:\WINDOWS\system32\0e27b736sjq.exe

            .
            ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            2008-01-14 17:38 --------- d-----w C:\Program Files\eMule
            2008-01-14 07:52 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
            2008-01-13 21:40 --------- d-----w C:\Program Files\Soulseek
            2008-01-13 04:08 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
            2008-01-11 03:16 --------- d-----w C:\Program Files\Soulseek-Test
            2008-01-10 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
            2007-12-11 12:12 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\Winamp
            2007-12-11 12:11 --------- d-----w C:\Program Files\Winamp
            2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
            2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
            2007-12-03 15:52 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\AVG7
            .

            ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
            .
            .
            REGEDIT4
            *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

            [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220}]
            2008-01-15 00:10 83968 --a------ c:\windows\system32\dmstylej.dll

            [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA56AADD-6596-42F1-A740-6B30B9B2FFD3}]
            2005-07-26 05:42 83968 --a------ C:\WINDOWS\system32\catsrvj.dll

            [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
            "hpsysdrv"="(disable) c:\windows\system\hpsysdrv.exe" [ ]
            "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-03 18:43 118784]
            "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
            "VTTimer"="VTTimer.exe"
            "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
            "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
            "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-01 15:37 6731312]
            "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
            "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
            "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
            "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:07 579072]
            "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 09:03 160256]

            [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
            "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 01:16 219136]

            [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
            "Apple Mobile Device"=2 (0x2)


            .
            Inhoud van de 'Gedeelde Taken' map
            "2008-01-12 07:11:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
            - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
            .
            **************************************************************************

            catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
            Rootkit scan 2008-01-15 00:13:10
            Windows 5.1.2600 Service Pack 2 NTFS

            scannen van verborgen processen ...

            scannen van verborgen autostart items ...

            scannen van verborgen bestanden ...

            Scan succesvol afgerond
            verborgen bestanden: 0

            **************************************************************************
            .
            Voltooingstijd: 2008-01-15 0:15:40 - machine was rebooted
            ComboFix-quarantined-files.txt 2008-01-14 23:15:12
            .
            2008-01-13 05:13:28 --- E O F ---
            • Citaat

            Comment

            • #7
              Ga naar Start - Uitvoeren en tik in: ComboFix /u
              Druk op Enter.
              Download combofix.exe opnieuw: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
              Plaats het op je bureaublad.
              Dubbelklik er op om het programma te starten.
              In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
              Volg de instructies op het scherm.
              Als het tooltje klaar is, opent er een logfile (combofix.txt).
              Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

              Let wel op de laatste log van hijackthis, was gemaakt met een oude versie. Je moet de nieuwste versie gebruiken.
              • Citaat

              Comment

              • #8
                Dag Marckie,

                Hierbij het nieuwe HijackThis en ComboFix logje.
                Groet,
                Jan.

                -------------------------------------------
                Logfile of Trend Micro HijackThis v2.0.2
                Scan saved at 14:00:32, on 16-1-2008
                Platform: Windows XP SP2 (WinNT 5.01.2600)
                MSIE: Internet Explorer v7.00 (7.00.6000.16574)
                Boot mode: Normal

                Running processes:
                C:\WINDOWS\System32\smss.exe
                C:\WINDOWS\system32\winlogon.exe
                C:\WINDOWS\system32\services.exe
                C:\WINDOWS\system32\lsass.exe
                C:\WINDOWS\system32\svchost.exe
                C:\WINDOWS\System32\svchost.exe
                C:\Program Files\Ahead\InCD\InCDsrv.exe
                C:\WINDOWS\system32\spoolsv.exe
                C:\WINDOWS\Explorer.EXE
                C:\WINDOWS\System32\hkcmd.exe
                C:\WINDOWS\AGRSMMSG.exe
                C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
                C:\Program Files\iTunes\iTunesHelper.exe
                C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
                C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                C:\WINDOWS\system32\ctfmon.exe
                C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                C:\Program Files\iPod\bin\iPodService.exe
                C:\WINDOWS\system32\wuauclt.exe
                C:\WINDOWS\system32\wscntfy.exe
                F:\HC\HiJackThis.exe

                R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll
                O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll
                O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
                O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe
                O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
                O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
                O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
                O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
                O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
                O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
                O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
                O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
                O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
                O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
                O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
                O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
                O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
                O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
                O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
                O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

                --
                End of file - 5810 bytes

                ---------------------------------------------------

                ComboFix 08-01-16.4 - HP_Eigenaar 2008-01-16 13:46:54.3 - NTFSx86
                Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.245 [GMT 1:00]
                Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Bureaublad\ComboFix.exe
                * Nieuw herstelpunt werd aangemaakt

                WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
                .

                (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
                .

                C:\WINDOWS\system32\dmstylej.dll . . . . konden niet verwijderd worden

                .
                ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

                .
                -------\gnjvvnsu


                (((((((((((((((((((( Bestanden Gemaakt van 2007-12-16 to 2008-01-16 ))))))))))))))))))))))))))))))
                .

                2008-01-15 00:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
                2008-01-13 17:37 . 2008-01-13 17:37 <DIR> d-------- C:\Program Files\Trend Micro
                2008-01-13 05:14 . 2008-01-13 05:14 120,576 --a------ C:\WINDOWS\system32\ocwvllma.dat
                2008-01-13 05:08 . 19,584 C:\WINDOWS\system32\drivers\ktqxvwbc.dat
                2008-01-13 05:07 . 2008-01-16 13:49 83,968 --a------ C:\WINDOWS\system32\dmstylej.dll
                2008-01-13 05:07 . 2005-07-26 05:42 83,968 --a------ C:\WINDOWS\system32\catsrvj.dll
                2008-01-13 05:07 . 2004-09-09 10:42 15,872 --a------ C:\WINDOWS\system32\0e27b736sjq.exe

                .
                ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                2008-01-16 09:07 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
                2008-01-14 17:38 --------- d-----w C:\Program Files\eMule
                2008-01-13 21:40 --------- d-----w C:\Program Files\Soulseek
                2008-01-13 04:08 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
                2008-01-11 03:16 --------- d-----w C:\Program Files\Soulseek-Test
                2008-01-10 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                2007-12-11 12:12 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\Winamp
                2007-12-11 12:11 --------- d-----w C:\Program Files\Winamp
                2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
                2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
                .

                ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                .
                .
                REGEDIT4
                *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220}]
                2008-01-16 13:49 83968 --a------ c:\windows\system32\dmstylej.dll

                [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA56AADD-6596-42F1-A740-6B30B9B2FFD3}]
                2005-07-26 05:42 83968 --a------ C:\WINDOWS\system32\catsrvj.dll

                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

                [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                "hpsysdrv"="(disable) c:\windows\system\hpsysdrv.exe" [ ]
                "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-03 18:43 118784]
                "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
                "VTTimer"="VTTimer.exe"
                "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
                "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
                "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-01 15:37 6731312]
                "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
                "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
                "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
                "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:07 579072]
                "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 09:03 160256]

                [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 01:16 219136]

                [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                "Apple Mobile Device"=2 (0x2)


                .
                Inhoud van de 'Gedeelde Taken' map
                "2008-01-12 07:11:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
                - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
                .
                **************************************************************************

                catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                Rootkit scan 2008-01-16 13:55:36
                Windows 5.1.2600 Service Pack 2 NTFS

                scannen van verborgen processen ...

                scannen van verborgen autostart items ...

                scannen van verborgen bestanden ...

                Scan succesvol afgerond
                verborgen bestanden: 0

                **************************************************************************
                .
                Voltooingstijd: 2008-01-16 13:58:12 - machine was rebooted
                ComboFix-quarantined-files.txt 2008-01-16 12:57:31
                ComboFix2.txt 2008-01-16 02:38:17
                .
                2008-01-13 05:13:28 --- E O F ---
                • Citaat

                Comment

                • #9
                  Open een kladblokbestand.
                  Kopieer de ondestaande code, en plak deze in het kladblokbestand.
                  Sla het kladblokbestand op als CFScript.txt
                  Code:
                  Rootkit::
c:\windows\system32\dmstylej.dll
C:\WINDOWS\system32\catsrvj.dll
C:\WINDOWS\system32\ocwvllma.dat
C:\WINDOWS\system32\drivers\ktqxvwbc.dat
C:\WINDOWS\system32\0e27b736sjq.exe
                  Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

                  ComboFix zal opnieuw starten.
                  Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
                  Post de inhoud van de logfile samen met een nieuwe hijackthislog.
                  • Citaat

                  Comment

                  • #10
                    Dag Marckie,

                    De nieuwe logfiles:

                    ---------------------------------------------------

                    ComboFix 08-01-16.4 - HP_Eigenaar 2008-01-16 15:04:39.4 - NTFSx86
                    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.219 [GMT 1:00]
                    Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Bureaublad\ComboFix.exe
                    Command switches used :: C:\Documents and Settings\HP_Eigenaar\Bureaublad\CFScript.txt
                    * Nieuw herstelpunt werd aangemaakt

                    WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
                    .

                    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
                    .

                    C:\WINDOWS\system32\0e27b736sjq.exe
                    C:\WINDOWS\system32\catsrvj.dll
                    c:\windows\system32\dmstylej.dll
                    C:\WINDOWS\system32\drivers\ktqxvwbc.dat
                    C:\WINDOWS\system32\ocwvllma.dat

                    .
                    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-16 to 2008-01-16 ))))))))))))))))))))))))))))))
                    .

                    2008-01-15 00:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
                    2008-01-13 17:37 . 2008-01-13 17:37 <DIR> d-------- C:\Program Files\Trend Micro

                    .
                    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    2008-01-16 09:07 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
                    2008-01-14 17:38 --------- d-----w C:\Program Files\eMule
                    2008-01-13 21:40 --------- d-----w C:\Program Files\Soulseek
                    2008-01-13 04:08 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
                    2008-01-11 03:16 --------- d-----w C:\Program Files\Soulseek-Test
                    2008-01-10 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                    2007-12-11 12:12 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\Winamp
                    2007-12-11 12:11 --------- d-----w C:\Program Files\Winamp
                    2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
                    2007-12-06 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
                    .

                    ((((((((((((((((((((((((((((( [email protected]_13.56.58.07 )))))))))))))))))))))))))))))))))))))))))
                    .
                    - 2008-01-16 12:46:30 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
                    + 2008-01-16 14:04:27 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
                    - 2008-01-16 12:46:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
                    + 2008-01-16 14:04:27 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
                    - 2008-01-16 12:46:30 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
                    + 2008-01-16 14:04:28 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
                    - 2008-01-16 12:46:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
                    + 2008-01-16 14:04:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
                    - 2008-01-16 12:46:30 10,027,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
                    + 2008-01-16 14:04:28 10,027,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
                    - 2008-01-16 12:46:30 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
                    + 2008-01-16 14:04:28 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
                    .
                    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                    .
                    .
                    REGEDIT4
                    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220}]
                    c:\windows\system32\dmstylej.dll

                    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA56AADD-6596-42F1-A740-6B30B9B2FFD3}]
                    C:\WINDOWS\system32\catsrvj.dll

                    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                    "hpsysdrv"="(disable) c:\windows\system\hpsysdrv.exe" [ ]
                    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-03 18:43 118784]
                    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
                    "VTTimer"="VTTimer.exe"
                    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
                    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
                    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-01 15:37 6731312]
                    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
                    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
                    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
                    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:07 579072]
                    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 09:03 160256]

                    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-06 01:16 219136]

                    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                    "Apple Mobile Device"=2 (0x2)


                    .
                    Inhoud van de 'Gedeelde Taken' map
                    "2008-01-12 07:11:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
                    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
                    .
                    **************************************************************************

                    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                    Rootkit scan 2008-01-16 15:09:11
                    Windows 5.1.2600 Service Pack 2 NTFS

                    scannen van verborgen processen ...

                    scannen van verborgen autostart items ...

                    scannen van verborgen bestanden ...

                    Scan succesvol afgerond
                    verborgen bestanden: 0

                    **************************************************************************
                    .
                    Voltooingstijd: 2008-01-16 15:11:47 - machine was rebooted
                    ComboFix-quarantined-files.txt 2008-01-16 14:11:16
                    ComboFix2.txt 2008-01-16 02:38:17
                    .
                    2008-01-13 05:13:28 --- E O F ---

                    ---------------------------------------------------------------------

                    Logfile of Trend Micro HijackThis v2.0.2
                    Scan saved at 15:13:35, on 16-1-2008
                    Platform: Windows XP SP2 (WinNT 5.01.2600)
                    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
                    Boot mode: Normal

                    Running processes:
                    C:\WINDOWS\System32\smss.exe
                    C:\WINDOWS\system32\winlogon.exe
                    C:\WINDOWS\system32\services.exe
                    C:\WINDOWS\system32\lsass.exe
                    C:\WINDOWS\system32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\Program Files\Ahead\InCD\InCDsrv.exe
                    C:\WINDOWS\system32\spoolsv.exe
                    C:\WINDOWS\Explorer.EXE
                    C:\WINDOWS\System32\hkcmd.exe
                    C:\WINDOWS\AGRSMMSG.exe
                    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
                    C:\Program Files\iTunes\iTunesHelper.exe
                    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
                    C:\WINDOWS\system32\ctfmon.exe
                    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                    C:\Program Files\iPod\bin\iPodService.exe
                    C:\WINDOWS\system32\wuauclt.exe
                    C:\WINDOWS\system32\wscntfy.exe
                    F:\HC\HiJackThis.exe

                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                    O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll (file missing)
                    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                    O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll (file missing)
                    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
                    O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe
                    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
                    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
                    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
                    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
                    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
                    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
                    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
                    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
                    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
                    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
                    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
                    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
                    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
                    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                    O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
                    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
                    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

                    --
                    End of file - 5804 bytes
                    • Citaat

                    Comment

                    • #11
                      Dat ziet er al wat beter uit.

                      Sluit alle open vensters.
                      Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

                      O2 - BHO: (no name) - {2DA0DFC6-20DF-4F0B-A9D4-ADA59C981220} - c:\windows\system32\dmstylej.dll (file missing)
                      O2 - BHO: (no name) - {CA56AADD-6596-42F1-A740-6B30B9B2FFD3} - C:\WINDOWS\system32\catsrvj.dll (file missing)
                      O4 - HKLM\..\Run: [hpsysdrv] (disable) c:\windows\system\hpsysdrv.exe

                      Klik daarna op "Fix checked" en sluit HijackThis af.

                      Herstart de computer.

                      Start HijackThis opnieuw, maak een nieuwe log en post deze.


                      Ga naar deze website: http://www.virustotal.com/en/indexf.html
                      Laat volgend bestandje scannen: C:\WINDOWS\system32\drivers\tcpip.sys
                      Post het resultaat van de scan.
                      (Mocht deze geïnfecteerd zijn, niet verwijderen dan)
                      • Citaat

                      Comment

                      • #12
                        Hallo Marckie,

                        Hierbij het gevraagde nieuwe HijackThis-logje. Het bestand C:\WINDOWS\system32\drivers\tcpip.sys kon ik helaas niet laten scannen op de computer van mijn zoon, omdat die nog steeds geen verbinding met internet maakt. Ik heb een kopie van het bewuste bestandje op een USB-stick gezet. Kan ik het op die manier via mijn eigen computer laten scannen?

                        Vriendelijke groet,
                        Jan.
                        ---------------------------------------------------------------------

                        Logfile of Trend Micro HijackThis v2.0.2
                        Scan saved at 16:28:13, on 16-1-2008
                        Platform: Windows XP SP2 (WinNT 5.01.2600)
                        MSIE: Internet Explorer v7.00 (7.00.6000.16574)
                        Boot mode: Normal

                        Running processes:
                        C:\WINDOWS\System32\smss.exe
                        C:\WINDOWS\system32\winlogon.exe
                        C:\WINDOWS\system32\services.exe
                        C:\WINDOWS\system32\lsass.exe
                        C:\WINDOWS\system32\svchost.exe
                        C:\WINDOWS\System32\svchost.exe
                        C:\Program Files\Ahead\InCD\InCDsrv.exe
                        C:\WINDOWS\system32\spoolsv.exe
                        C:\WINDOWS\Explorer.EXE
                        C:\WINDOWS\System32\hkcmd.exe
                        C:\WINDOWS\AGRSMMSG.exe
                        C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
                        C:\Program Files\iTunes\iTunesHelper.exe
                        C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
                        C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                        C:\WINDOWS\system32\ctfmon.exe
                        C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                        C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                        C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                        C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                        C:\Program Files\iPod\bin\iPodService.exe
                        C:\Program Files\Messenger\msmsgs.exe
                        C:\WINDOWS\system32\wuauclt.exe
                        C:\WINDOWS\system32\wscntfy.exe
                        C:\Documents and Settings\HP_Eigenaar\Bureaublad\HC\HiJackThis.exe

                        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
                        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
                        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                        O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
                        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
                        O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
                        O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
                        O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
                        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                        O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
                        O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                        O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
                        O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                        O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
                        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                        O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
                        O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
                        O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
                        O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
                        O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
                        O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
                        O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
                        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                        O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
                        O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
                        O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                        O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                        O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                        O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                        O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

                        --
                        End of file - 5631 bytes
                        • Citaat

                        Comment

                        • #13
                          Kan je gewoon laten scannen vanop je stick.
                          • Citaat

                          Comment

                          • #14
                            Resultaat scan bestand C:\WINDOWS\system32\drivers\tcpip.sys door Virustotal:

                            --------------------------------------------------------------------

                            Antivirus Versie Laatst geüpdatet Resultaat
                            AhnLab-V3 2008.1.16.11 2008.01.16 -
                            AntiVir 7.6.0.48 2008.01.16 -
                            Authentium 4.93.8 2008.01.16 -
                            Avast 4.7.1098.0 2008.01.16 -
                            AVG 7.5.0.516 2008.01.16 -
                            BitDefender 7.2 2008.01.16 -
                            CAT-QuickHeal 9.00 2008.01.16 -
                            ClamAV 0.91.2 2008.01.16 -
                            DrWeb 4.44.0.09170 2008.01.16 -
                            eSafe 7.0.15.0 2008.01.16 -
                            eTrust-Vet 31.3.5462 2008.01.16 -
                            Ewido 4.0 2008.01.16 -
                            FileAdvisor 1 2008.01.16 -
                            Fortinet 3.14.0.0 2008.01.16 -
                            F-Prot 4.4.2.54 2008.01.15 -
                            F-Secure 6.70.13260.0 2008.01.16 -
                            Ikarus T3.1.1.20 2008.01.16 -
                            Kaspersky 7.0.0.125 2008.01.16 -
                            McAfee 5209 2008.01.16 -
                            Microsoft 1.3109 2008.01.16 -
                            NOD32v2 2798 2008.01.16 -
                            Norman 5.80.02 2008.01.16 -
                            Panda 9.0.0.4 2008.01.15 -
                            Prevx1 V2 2008.01.16 -
                            Rising 20.27.22.00 2008.01.16 -
                            Sophos 4.24.0 2008.01.16 -
                            Sunbelt 2.2.907.0 2008.01.15 -
                            TheHacker 6.2.9.188 2008.01.16 -
                            VBA32 3.12.2.5 2008.01.15 -
                            VirusBuster 4.3.26:9 2008.01.16 -
                            Webwasher-Gateway 6.6.2 2008.01.16 Win32.Malware.gen!80 (suspicious)

                            Extra informatie
                            File size: 360064 bytes
                            MD5: 71cc4368deaa57aa1ea1f18bc837650d
                            SHA1: 6a835c73a5b7dc11c88dc062ed081882f7d2cfff
                            PEiD: -
                            • Citaat

                            Comment

                            • #15
                              Kan je deze batfile even laten lopen op de computer?
                              Open een kladblokbestand.
                              Kopieer onderstaande code in dit kladblokbestand.
                              Ga naar Bestand - Opslaan als.
                              Bij "Opslaan in" kies je: Bureaublad
                              Bij "Bestandsnaam" zet je: look.bat
                              Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
                              Klik op de knop Opslaan.
                              Code:
                              DIR %Systemdrive%\tcpip.sys /a h /s >>files.txt
START NOTEPAD.EXE files.txt
                              Dubbelklik op look.bat en post het resultaat van logfile die opent.
                              • Citaat

                              Comment

                              Vorige 1 2 3 template Volgende
                              Sorry, you are not authorized to view this page
                              Working...
                              X