Mededeling

**smeenk** · 17-01-08, 16:50

Download VirtumundoBegone (mirror)
Sla dit op op je bureaublad.

Dubbelklik op VirtumundoBeGone.exe en volg de aanwijzingen.
Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.
Als de fix klaar is, start je de pc opnieuw op.
Plaats de inhoud van het logbestand VBG.TXT, dat nu op je bureaublad staat, hier in je volgende bericht.

Download: RVAXO.exe

Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
Open nu de map RVAXO op je bureaublad en dubbeklik RVAXO.cmd
Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
Post de inhoud van de logfile in je volgende bericht.

Download Combofix (mirror) naar je Bureaublad.
Dubbelklik op Combofix.exe
Kies voor "Continue" door 1 te typen gevolgd door ENTER.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

**Tuinhek** · 17-01-08, 17:26

VGB:

[01/17/2008, 16:55:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\VirtumundoBeGone.exe" )
[01/17/2008, 16:55:36] - Detected System Information:
[01/17/2008, 16:55:36] - Windows Version: 5.1.2600,
[01/17/2008, 16:55:36] - Current Username: Administrator (Admin)
[01/17/2008, 16:55:36] - Windows is in NORMAL mode.
[01/17/2008, 16:55:36] - Searching for Browser Helper Objects:
[01/17/2008, 16:55:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
[01/17/2008, 16:55:36] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\urqrooo
[01/17/2008, 16:55:36] - Found: HKLM\...\Winlogon\Notify\urqrooo - This is probably Virtumundo.
[01/17/2008, 16:55:36] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[01/17/2008, 16:55:36] - BHO list has been changed! Starting over...
[01/17/2008, 16:55:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
[01/17/2008, 16:55:36] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[01/17/2008, 16:55:36] - ALERT: Found MSEvents Object!
[01/17/2008, 16:55:36] - BHO 3: {7493b8c4-1023-4733-9c77-6b1697b41e88} ()
[01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\rftobcet
[01/17/2008, 16:55:36] - Key not found: HKLM\...\Winlogon\Notify\rftobcet, continuing.
[01/17/2008, 16:55:36] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/17/2008, 16:55:36] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:36] - No filename found. Continuing.
[01/17/2008, 16:55:36] - BHO 6: {D2DE00C1-0935-4A53-99FE-6AC1713AC523} ()
[01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\ddcyx
[01/17/2008, 16:55:36] - Key not found: HKLM\...\Winlogon\Notify\ddcyx, continuing.
[01/17/2008, 16:55:36] - Finished Searching Browser Helper Objects
[01/17/2008, 16:55:36] - *** Detected MSEvents Object
[01/17/2008, 16:55:36] - Trying to remove MSEvents Object...
[01/17/2008, 16:55:37] - Terminating Process: IEXPLORE.EXE
[01/17/2008, 16:55:37] - Terminating Process: RUNDLL32.EXE
[01/17/2008, 16:55:37] - Disabling Automatic Shell Restart
[01/17/2008, 16:55:37] - Terminating Process: EXPLORER.EXE
[01/17/2008, 16:55:38] - Suspending the NT Session Manager System Service
[01/17/2008, 16:55:38] - Terminating Windows NT Logon/Logoff Manager
[01/17/2008, 16:55:38] - Re-enabling Automatic Shell Restart
[01/17/2008, 16:55:38] - File to disable: C:\WINDOWS\system32\urqrooo.dll
[01/17/2008, 16:55:38] - Renaming C:\WINDOWS\system32\urqrooo.dll -> C:\WINDOWS\system32\urqrooo.dll.vir
[01/17/2008, 16:55:39] - ! File rename was unsucessful.
[01/17/2008, 16:55:39] - Attempting to Deny Access to C:\WINDOWS\system32\urqrooo.dll
[01/17/2008, 16:55:39] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/17/2008, 16:55:39] - ERROR: Er is geen toewijzing uitgevoerd tussen accountnamen en beveiligings-ID's.

[01/17/2008, 16:55:39] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/17/2008, 16:55:39] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[01/17/2008, 16:55:39] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[01/17/2008, 16:55:39] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[01/17/2008, 16:55:39] - Deleting ATLEvents/MSEvents Registry entries
[01/17/2008, 16:55:39] - Removing HKLM\...\Winlogon\Notify\urqrooo
[01/17/2008, 16:55:39] - Searching for Browser Helper Objects:
[01/17/2008, 16:55:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
[01/17/2008, 16:55:39] - BHO 2: {7493b8c4-1023-4733-9c77-6b1697b41e88} ()
[01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:40] - Checking for HKLM\...\Winlogon\Notify\rftobcet
[01/17/2008, 16:55:40] - Key not found: HKLM\...\Winlogon\Notify\rftobcet, continuing.
[01/17/2008, 16:55:40] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/17/2008, 16:55:40] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:40] - No filename found. Continuing.
[01/17/2008, 16:55:40] - BHO 5: {D2DE00C1-0935-4A53-99FE-6AC1713AC523} ()
[01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/17/2008, 16:55:40] - Checking for HKLM\...\Winlogon\Notify\ddcyx
[01/17/2008, 16:55:40] - Key not found: HKLM\...\Winlogon\Notify\ddcyx, continuing.
[01/17/2008, 16:55:40] - Finished Searching Browser Helper Objects
[01/17/2008, 16:55:40] - Finishing up...
[01/17/2008, 16:55:40] - A restart is needed.
[01/17/2008, 16:55:47] - Attempting to Restart via STOP error (Blue Screen!)

RVAXO:

---RVAXO.exe Updated: 2008-01-17---first run---
Files found:
C:\WINDOWS\system32\urqrooo.dll.vir
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\actskn45.ocx

Uninstallers Rogue scanners:

AdvancedCleaner Free uninstaller found

Folders Found:

C:\Program Files\AdvancedCleaner Free

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------

Combofix:

ComboFix 08-01-17.5 - Administrator 2008-01-17 17:13:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.31.1043.18.59 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\agnfskgx.dll
C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\dpeerall.dll
C:\WINDOWS\system32\ggovssxu.ini
C:\WINDOWS\system32\gvepsxpo.dll
C:\WINDOWS\system32\hrrqkbct.ini
C:\WINDOWS\system32\jhebcghw.ini
C:\WINDOWS\system32\jvgmndcn.dll
C:\WINDOWS\system32\llareepd.ini
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\oqrfrrdw.dll
C:\WINDOWS\system32\phjgwknv.dll
C:\WINDOWS\system32\rftobcet.dll
C:\WINDOWS\system32\tcbkqrrh.dll
C:\WINDOWS\system32\uudythsy.dll
C:\WINDOWS\system32\vnkwgjhp.ini
C:\WINDOWS\system32\wdrrfrqo.ini
C:\WINDOWS\system32\wgbpyoog.dll
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\ysnnxmxj.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))
.

2008-01-17 17:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 17:02 . 2008-01-17 17:03 <DIR> d-------- C:\RVAXO
2008-01-17 16:59 . 2008-01-17 15:53 611,005 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-01-17 16:59 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-01-17 16:17 . 2007-12-23 00:07 194 --ahs---- C:\BOOT.BAK
2008-01-13 19:09 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-13 19:09 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-13 19:09 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-13 13:12 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
2008-01-13 13:12 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
2008-01-13 13:12 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
2008-01-13 13:12 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
2008-01-13 13:12 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
2008-01-13 13:10 . 1996-10-17 21:45 32,388 --a------ C:\WINDOWS\system\Comic.ttf
2008-01-13 13:10 . 1997-02-06 18:29 14 --a------ C:\WINDOWS\Comic.prf
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Shareaza
2008-01-11 18:02 . 2008-01-11 18:02 <DIR> d-------- C:\Program Files\Shareaza Applications
2008-01-08 17:36 . 2008-01-17 16:44 <DIR> dr-h----- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Onlangs geopend
2008-01-07 18:43 . 2008-01-15 19:04 320 --ahs---- C:\WINDOWS\system32\tttss.ini
2008-01-06 20:08 . 2008-01-07 18:28 320 --ahs---- C:\WINDOWS\system32\gjkkj.ini
2008-01-05 18:11 . 2008-01-06 18:04 320 --ahs---- C:\WINDOWS\system32\mlnmp.ini
2008-01-02 22:32 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\Belastingdienst
2008-01-02 22:23 . 2008-01-05 14:57 320 --ahs---- C:\WINDOWS\system32\egjlm.ini
2008-01-02 09:46 . 2008-01-02 20:29 320 --ahs---- C:\WINDOWS\system32\ghkmp.ini
2008-01-01 18:26 . 2008-01-01 18:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-01 18:26 . 2008-01-01 18:23 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-01-01 18:26 . 2008-01-01 18:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-12-30 20:56 . 2008-01-10 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 20:56 . 2007-12-30 20:56 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 20:39 . 2006-06-27 05:40 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
2007-12-27 20:39 . 2006-06-27 05:40 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
2007-12-27 20:14 . 2008-01-01 19:39 320 --ahs---- C:\WINDOWS\system32\nmllm.ini
2007-12-25 15:01 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-25 15:00 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-25 14:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-12-25 14:58 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-25 14:57 . 2001-09-06 19:53 1,874,432 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-25 14:56 . 2001-08-17 22:06 47,616 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-12-25 14:56 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-12-25 14:56 . 2001-08-17 21:51 20,096 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2007-12-25 14:56 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2007-12-25 14:56 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-12-25 14:56 . 2001-08-17 21:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2007-12-25 14:56 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 14:56 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2007-12-25 14:56 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2007-12-25 14:54 . 2001-09-06 21:27 100,864 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-25 14:53 . 2001-09-06 21:26 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-25 14:52 . 2001-08-17 21:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-25 14:51 . 2001-09-06 21:26 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-25 14:50 . 2001-09-06 19:54 634,198 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-25 14:49 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-25 14:48 . 2001-09-06 18:59 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-25 14:47 . 2001-09-06 21:26 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-25 14:46 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-25 14:45 . 2001-09-06 19:52 1,902,592 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-25 14:45 . 2001-09-06 21:26 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-23 14:46 . 2007-12-23 14:46 <DIR> d-------- C:\Westwood
2007-12-22 19:39 . 2007-12-22 19:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-19 19:32 . 2007-12-19 19:32 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Media Player Classic

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-08 16:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-06 18:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-28 14:28 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Vso
2007-12-27 17:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-16 17:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
2007-12-16 17:58 --------- d-----w C:\Program Files\Windows Live
2007-12-14 11:54 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Apple Computer
2007-12-14 11:51 --------- d-----w C:\Program Files\QuickTime
2007-12-14 11:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-12-11 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-09 17:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk
2007-12-06 14:26 --------- d-----w C:\Program Files\Photodex Presenter
2007-12-06 14:26 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Netscape
2007-12-03 17:04 --------- d-----w C:\Program Files\hp deskjet 3320 series
2007-12-03 17:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-02 13:17 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Nero
2007-12-02 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-12-01 18:12 --------- d-----w C:\Program Files\SpywareGuard
2007-12-01 18:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-12-01 16:59 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\DivX
2007-12-01 16:56 --------- d-----w C:\Program Files\Java
2007-11-30 18:35 --------- d-----w C:\Program Files\Common Files\Java
2007-11-26 20:24 --------- d-----w C:\Documents and Settings\Dekker\Application Data\Vso
2007-11-17 16:18 --------- d--h--r C:\Documents and Settings\Dekker\Application Data\SecuROM
2007-11-13 18:34 47,360 ----a-w C:\Documents and Settings\Dekker\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"nod32kui"="G:\Program Files\Eset\nod32kui.exe" [2008-01-01 18:23 950664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\ddcyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-11-04 00:07 188416 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2006-12-20 07:00]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\System32\1365.tmp

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - RASMAN
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:20:30
Windows 5.1.2600 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-17 17:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 16:24:02
.
2008-01-16 15:59:03 --- E O F ---

**smeenk** · 17-01-08, 17:55

Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd

Download de bijlage: CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.

Bijgevoegde Bestanden

cfscript.txt (161 Bytes, 130 keer bekeken)

**Tuinhek** · 17-01-08, 20:05

Log:

ComboFix 08-01-17.5 - Administrator 2008-01-17 18:01:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.79 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\cfscript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\tttss.ini
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\tttss.ini

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))
.

2008-01-17 17:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 16:17 . 2007-12-23 00:07 194 --ahs---- C:\BOOT.BAK
2008-01-13 19:09 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-13 19:09 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-13 19:09 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-13 13:12 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
2008-01-13 13:12 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
2008-01-13 13:12 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
2008-01-13 13:12 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
2008-01-13 13:12 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
2008-01-13 13:10 . 1996-10-17 21:45 32,388 --a------ C:\WINDOWS\system\Comic.ttf
2008-01-13 13:10 . 1997-02-06 18:29 14 --a------ C:\WINDOWS\Comic.prf
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Shareaza
2008-01-11 18:02 . 2008-01-11 18:02 <DIR> d-------- C:\Program Files\Shareaza Applications
2008-01-08 17:36 . 2008-01-17 17:59 <DIR> dr-h----- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Onlangs geopend
2008-01-02 22:32 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\Belastingdienst
2008-01-01 18:26 . 2008-01-01 18:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-01 18:26 . 2008-01-01 18:23 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-01-01 18:26 . 2008-01-01 18:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-12-30 20:56 . 2008-01-10 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 20:56 . 2007-12-30 20:56 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 20:39 . 2006-06-27 05:40 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
2007-12-27 20:39 . 2006-06-27 05:40 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
2007-12-27 20:14 . 2008-01-01 19:39 320 --ahs---- C:\WINDOWS\system32\nmllm.ini
2007-12-25 15:01 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-25 15:00 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-25 14:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-12-25 14:58 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-25 14:57 . 2001-09-06 19:53 1,874,432 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-25 14:56 . 2001-08-17 22:06 47,616 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-12-25 14:56 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-12-25 14:56 . 2001-08-17 21:51 20,096 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2007-12-25 14:56 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2007-12-25 14:56 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2007-12-25 14:56 . 2001-08-17 21:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2007-12-25 14:56 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-25 14:56 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2007-12-25 14:56 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2007-12-25 14:54 . 2001-09-06 21:27 100,864 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-25 14:53 . 2001-09-06 21:26 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-25 14:52 . 2001-08-17 21:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-25 14:51 . 2001-09-06 21:26 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-25 14:50 . 2001-09-06 19:54 634,198 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-25 14:49 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-25 14:48 . 2001-09-06 18:59 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-25 14:47 . 2001-09-06 21:26 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-25 14:46 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-25 14:45 . 2001-09-06 19:52 1,902,592 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-25 14:45 . 2001-09-06 21:26 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-23 14:46 . 2007-12-23 14:46 <DIR> d-------- C:\Westwood
2007-12-22 19:39 . 2007-12-22 19:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-19 19:32 . 2007-12-19 19:32 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Media Player Classic

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-08 16:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-06 18:38 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-28 14:28 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Vso
2007-12-27 17:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-16 17:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
2007-12-16 17:58 --------- d-----w C:\Program Files\Windows Live
2007-12-14 11:54 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Apple Computer
2007-12-14 11:51 --------- d-----w C:\Program Files\QuickTime
2007-12-14 11:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-12-11 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-09 17:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk
2007-12-06 14:26 --------- d-----w C:\Program Files\Photodex Presenter
2007-12-06 14:26 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Netscape
2007-12-03 17:04 --------- d-----w C:\Program Files\hp deskjet 3320 series
2007-12-03 17:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-02 13:17 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Nero
2007-12-02 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-12-01 18:12 --------- d-----w C:\Program Files\SpywareGuard
2007-12-01 18:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2007-12-01 16:59 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\DivX
2007-12-01 16:56 --------- d-----w C:\Program Files\Java
2007-11-30 18:35 --------- d-----w C:\Program Files\Common Files\Java
2007-11-26 20:24 --------- d-----w C:\Documents and Settings\Dekker\Application Data\Vso
2007-11-17 16:18 --------- d--h--r C:\Documents and Settings\Dekker\Application Data\SecuROM
2007-11-13 18:34 47,360 ----a-w C:\Documents and Settings\Dekker\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( [email protected]_17.23.50.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 16:12:37 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-17 17:01:32 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-17 16:12:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 17:01:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 16:12:38 3,186,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 17:01:33 3,194,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 17:01:33 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\ntuser.dat
+ 2008-01-17 17:01:33 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\UsrClass.dat
- 2008-01-17 16:12:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 17:01:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-12-01 16:19:07 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-17 16:22:28 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-01 16:19:07 53,418 ----a-w C:\WINDOWS\system32\perfc013.dat
+ 2008-01-17 16:22:28 53,418 ----a-w C:\WINDOWS\system32\perfc013.dat
- 2007-12-01 16:19:07 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-17 16:22:28 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-12-01 16:19:07 364,330 ----a-w C:\WINDOWS\system32\perfh013.dat
+ 2008-01-17 16:22:28 364,330 ----a-w C:\WINDOWS\system32\perfh013.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"nod32kui"="G:\Program Files\Eset\nod32kui.exe" [2008-01-01 18:23 950664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-11-04 00:07 188416 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2006-12-20 07:00]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\System32\1365.tmp

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 19:56:55
Windows 5.1.2600 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-17 20:00:58 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-01-17 19:00:54
ComboFix2.txt 2008-01-17 16:24:07
.
2008-01-16 15:59:03 --- E O F ---

En ik heb bij het opstarten last van kiezen tussen "windows xp" en "windows xp setup" heb even rondgekeken en dit gevonden: http://www.pchelper.nl/forum/index.php?showtopic=51315&mode=linear Kan ik gewoon doen?

**smeenk** · 17-01-08, 20:42

Ja dat mag je wel doen.

Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
Dit zal alles van RVAXO doen verwijderen.

Verwijder de volgende map:
C:\Qoobox

Maak dan je prullenbak leeg.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Ga naar Start - Uitvoeren en geef hier het volgende in:
Combofix /U
Druk daarna op OK.
Let op: Er moet een spatie tussen Combofix en /U zitten.

Dit zal Combofix deïnstalleren.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Dan denk ik dat we klaar zijn

**Tuinhek** · 17-01-08, 23:15

Mijn Boot.ini zegt:

[Boot Loader]
Timeout=5
Default=C:\$WIN_NT$.~BT\BOOTSECT.DAT
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

Op die site hebben ze:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Moet het in zijn geheel vervangen?
(even voor de zekerheid voor mij

straks doe ik wat verkeerd en start de computer helemaal niet meer :P)

**smeenk** · 17-01-08, 23:34

Die van jouw wijkt wat af, misschien kan je het beter hier even vragen:

404 Not Found

http://nucia.eu/forum/forumdisplay.php?f=15

**Tuinhek** · 18-01-08, 09:49

Oké, zal ik doen.
Ik heb een scan met ad-aware uitgevoerd, alles is weg

Heel erg bedankt!!

**smeenk** · 18-01-08, 10:36

Graag gedaan hoor, fijn dat het allemaal gelukt is

Groeten smeenk

Mededeling

'astakiller' en 'virtumundo'

'astakiller' en 'virtumundo'

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment