Mededeling

Collapse
No announcement yet.

'astakiller' en 'virtumundo'

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • 'astakiller' en 'virtumundo'

    Goedemiddag,
    ik heb al een aantal keer scans gedaan met Ad-aware en Spybot S&D maar astakiller en virtumundo blijven terug komen. Als ik virtumundo met ad-aware probeer te verwijderen geeft deze een error en sluit zichzelf af. Gebeurd ook dat menubalk weg is, en het bureaublad.
    (ctr+alt+del> "nieuw taak"> "explorer.exe" verhelpt dit, maar daarna doet IE het niet meer)
    Hoe kom ik hier vanaf?


    Mijn HiJack logje:

    Logfile of HijackThis v1.99.1
    Scan saved at 16:31:53, on 17-1-2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    G:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBService.exe
    G:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    G:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    G:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nod32kui] "G:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [UADCNL_3490827996] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
    O4 - HKLM\..\Run: [a4fbf25f] rundll32.exe "C:\WINDOWS\System32\phjgwknv.dll",b
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196525954238
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197498535389
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - G:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

  • #2
    Download VirtumundoBegone (mirror)
    Sla dit op op je bureaublad.

    Dubbelklik op VirtumundoBeGone.exe en volg de aanwijzingen.
    Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.
    Als de fix klaar is, start je de pc opnieuw op.
    Plaats de inhoud van het logbestand VBG.TXT, dat nu op je bureaublad staat, hier in je volgende bericht.


    Download: RVAXO.exe
    • Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    • Open nu de map RVAXO op je bureaublad en dubbeklik RVAXO.cmd
      Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    • Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    • Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
      Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
    • Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
    • Post de inhoud van de logfile in je volgende bericht.


    Download Combofix (mirror) naar je Bureaublad.
    Dubbelklik op Combofix.exe
    Kies voor "Continue" door 1 te typen gevolgd door ENTER.
    Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
    Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
    Plaats deze log in je volgende post.

    NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Comment


    • #3
      VGB:


      [01/17/2008, 16:55:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\VirtumundoBeGone.exe" )
      [01/17/2008, 16:55:36] - Detected System Information:
      [01/17/2008, 16:55:36] - Windows Version: 5.1.2600,
      [01/17/2008, 16:55:36] - Current Username: Administrator (Admin)
      [01/17/2008, 16:55:36] - Windows is in NORMAL mode.
      [01/17/2008, 16:55:36] - Searching for Browser Helper Objects:
      [01/17/2008, 16:55:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
      [01/17/2008, 16:55:36] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
      [01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\urqrooo
      [01/17/2008, 16:55:36] - Found: HKLM\...\Winlogon\Notify\urqrooo - This is probably Virtumundo.
      [01/17/2008, 16:55:36] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
      [01/17/2008, 16:55:36] - BHO list has been changed! Starting over...
      [01/17/2008, 16:55:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
      [01/17/2008, 16:55:36] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
      [01/17/2008, 16:55:36] - ALERT: Found MSEvents Object!
      [01/17/2008, 16:55:36] - BHO 3: {7493b8c4-1023-4733-9c77-6b1697b41e88} ()
      [01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\rftobcet
      [01/17/2008, 16:55:36] - Key not found: HKLM\...\Winlogon\Notify\rftobcet, continuing.
      [01/17/2008, 16:55:36] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
      [01/17/2008, 16:55:36] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
      [01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:36] - No filename found. Continuing.
      [01/17/2008, 16:55:36] - BHO 6: {D2DE00C1-0935-4A53-99FE-6AC1713AC523} ()
      [01/17/2008, 16:55:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:36] - Checking for HKLM\...\Winlogon\Notify\ddcyx
      [01/17/2008, 16:55:36] - Key not found: HKLM\...\Winlogon\Notify\ddcyx, continuing.
      [01/17/2008, 16:55:36] - Finished Searching Browser Helper Objects
      [01/17/2008, 16:55:36] - *** Detected MSEvents Object
      [01/17/2008, 16:55:36] - Trying to remove MSEvents Object...
      [01/17/2008, 16:55:37] - Terminating Process: IEXPLORE.EXE
      [01/17/2008, 16:55:37] - Terminating Process: RUNDLL32.EXE
      [01/17/2008, 16:55:37] - Disabling Automatic Shell Restart
      [01/17/2008, 16:55:37] - Terminating Process: EXPLORER.EXE
      [01/17/2008, 16:55:38] - Suspending the NT Session Manager System Service
      [01/17/2008, 16:55:38] - Terminating Windows NT Logon/Logoff Manager
      [01/17/2008, 16:55:38] - Re-enabling Automatic Shell Restart
      [01/17/2008, 16:55:38] - File to disable: C:\WINDOWS\system32\urqrooo.dll
      [01/17/2008, 16:55:38] - Renaming C:\WINDOWS\system32\urqrooo.dll -> C:\WINDOWS\system32\urqrooo.dll.vir
      [01/17/2008, 16:55:39] - ! File rename was unsucessful.
      [01/17/2008, 16:55:39] - Attempting to Deny Access to C:\WINDOWS\system32\urqrooo.dll
      [01/17/2008, 16:55:39] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
      [01/17/2008, 16:55:39] - ERROR: Er is geen toewijzing uitgevoerd tussen accountnamen en beveiligings-ID's.

      [01/17/2008, 16:55:39] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
      [01/17/2008, 16:55:39] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
      [01/17/2008, 16:55:39] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
      [01/17/2008, 16:55:39] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
      [01/17/2008, 16:55:39] - Deleting ATLEvents/MSEvents Registry entries
      [01/17/2008, 16:55:39] - Removing HKLM\...\Winlogon\Notify\urqrooo
      [01/17/2008, 16:55:39] - Searching for Browser Helper Objects:
      [01/17/2008, 16:55:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Help bij koppelingen)
      [01/17/2008, 16:55:39] - BHO 2: {7493b8c4-1023-4733-9c77-6b1697b41e88} ()
      [01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:40] - Checking for HKLM\...\Winlogon\Notify\rftobcet
      [01/17/2008, 16:55:40] - Key not found: HKLM\...\Winlogon\Notify\rftobcet, continuing.
      [01/17/2008, 16:55:40] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
      [01/17/2008, 16:55:40] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
      [01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:40] - No filename found. Continuing.
      [01/17/2008, 16:55:40] - BHO 5: {D2DE00C1-0935-4A53-99FE-6AC1713AC523} ()
      [01/17/2008, 16:55:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
      [01/17/2008, 16:55:40] - Checking for HKLM\...\Winlogon\Notify\ddcyx
      [01/17/2008, 16:55:40] - Key not found: HKLM\...\Winlogon\Notify\ddcyx, continuing.
      [01/17/2008, 16:55:40] - Finished Searching Browser Helper Objects
      [01/17/2008, 16:55:40] - Finishing up...
      [01/17/2008, 16:55:40] - A restart is needed.
      [01/17/2008, 16:55:47] - Attempting to Restart via STOP error (Blue Screen!)


      RVAXO:

      ---RVAXO.exe Updated: 2008-01-17---first run---
      Files found:
      C:\WINDOWS\system32\urqrooo.dll.vir
      C:\WINDOWS\system32\xycdd.ini2
      C:\WINDOWS\system32\mcrh.tmp
      C:\WINDOWS\system32\actskn45.ocx

      Uninstallers Rogue scanners:

      AdvancedCleaner Free uninstaller found

      Folders Found:

      C:\Program Files\AdvancedCleaner Free

      Hosts-file was reset, If you use a custom hosts file please replace it...

      --------------RVAXO.exe last run---------------

      Files found:

      Folders Found:

      --------------RVAXO.exe finished----------------

      Combofix:

      ComboFix 08-01-17.5 - Administrator 2008-01-17 17:13:21.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.0.1252.31.1043.18.59 [GMT 1:00]
      Gestart vanuit: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\ComboFix.exe
      * Nieuw herstelpunt werd aangemaakt

      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
      .

      (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\WINDOWS\cookies.ini
      C:\WINDOWS\system32\agnfskgx.dll
      C:\WINDOWS\system32\ddcyx.dll
      C:\WINDOWS\system32\dpeerall.dll
      C:\WINDOWS\system32\ggovssxu.ini
      C:\WINDOWS\system32\gvepsxpo.dll
      C:\WINDOWS\system32\hrrqkbct.ini
      C:\WINDOWS\system32\jhebcghw.ini
      C:\WINDOWS\system32\jvgmndcn.dll
      C:\WINDOWS\system32\llareepd.ini
      C:\WINDOWS\system32\msssc.dll
      C:\WINDOWS\system32\oqrfrrdw.dll
      C:\WINDOWS\system32\phjgwknv.dll
      C:\WINDOWS\system32\rftobcet.dll
      C:\WINDOWS\system32\tcbkqrrh.dll
      C:\WINDOWS\system32\uudythsy.dll
      C:\WINDOWS\system32\vnkwgjhp.ini
      C:\WINDOWS\system32\wdrrfrqo.ini
      C:\WINDOWS\system32\wgbpyoog.dll
      C:\WINDOWS\system32\xycdd.ini
      C:\WINDOWS\system32\xycdd.ini2
      C:\WINDOWS\system32\ysnnxmxj.dll

      .
      (((((((((((((((((((( Bestanden Gemaakt van 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))
      .

      2008-01-17 17:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
      2008-01-17 17:02 . 2008-01-17 17:03 <DIR> d-------- C:\RVAXO
      2008-01-17 16:59 . 2008-01-17 15:53 611,005 --a------ C:\WINDOWS\system32\RVAXO.bat
      2008-01-17 16:59 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
      2008-01-17 16:17 . 2007-12-23 00:07 194 --ahs---- C:\BOOT.BAK
      2008-01-13 19:09 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
      2008-01-13 19:09 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
      2008-01-13 19:09 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
      2008-01-13 13:12 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
      2008-01-13 13:12 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
      2008-01-13 13:12 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
      2008-01-13 13:12 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
      2008-01-13 13:12 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
      2008-01-13 13:10 . 1996-10-17 21:45 32,388 --a------ C:\WINDOWS\system\Comic.ttf
      2008-01-13 13:10 . 1997-02-06 18:29 14 --a------ C:\WINDOWS\Comic.prf
      2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Shareaza
      2008-01-11 18:02 . 2008-01-11 18:02 <DIR> d-------- C:\Program Files\Shareaza Applications
      2008-01-08 17:36 . 2008-01-17 16:44 <DIR> dr-h----- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Onlangs geopend
      2008-01-07 18:43 . 2008-01-15 19:04 320 --ahs---- C:\WINDOWS\system32\tttss.ini
      2008-01-06 20:08 . 2008-01-07 18:28 320 --ahs---- C:\WINDOWS\system32\gjkkj.ini
      2008-01-05 18:11 . 2008-01-06 18:04 320 --ahs---- C:\WINDOWS\system32\mlnmp.ini
      2008-01-02 22:32 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\Belastingdienst
      2008-01-02 22:23 . 2008-01-05 14:57 320 --ahs---- C:\WINDOWS\system32\egjlm.ini
      2008-01-02 09:46 . 2008-01-02 20:29 320 --ahs---- C:\WINDOWS\system32\ghkmp.ini
      2008-01-01 18:26 . 2008-01-01 18:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
      2008-01-01 18:26 . 2008-01-01 18:23 299,392 --a------ C:\WINDOWS\system32\imon.dll
      2008-01-01 18:26 . 2008-01-01 18:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
      2007-12-30 20:56 . 2008-01-10 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
      2007-12-30 20:56 . 2007-12-30 20:56 1,409 --a------ C:\WINDOWS\QTFont.for
      2007-12-27 20:39 . 2006-06-27 05:40 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
      2007-12-27 20:39 . 2006-06-27 05:40 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
      2007-12-27 20:14 . 2008-01-01 19:39 320 --ahs---- C:\WINDOWS\system32\nmllm.ini
      2007-12-25 15:01 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
      2007-12-25 15:00 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
      2007-12-25 14:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
      2007-12-25 14:58 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
      2007-12-25 14:57 . 2001-09-06 19:53 1,874,432 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
      2007-12-25 14:56 . 2001-08-17 22:06 47,616 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
      2007-12-25 14:56 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
      2007-12-25 14:56 . 2001-08-17 21:51 20,096 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
      2007-12-25 14:56 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
      2007-12-25 14:56 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
      2007-12-25 14:56 . 2001-08-17 21:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
      2007-12-25 14:56 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
      2007-12-25 14:56 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
      2007-12-25 14:56 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
      2007-12-25 14:54 . 2001-09-06 21:27 100,864 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
      2007-12-25 14:53 . 2001-09-06 21:26 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
      2007-12-25 14:52 . 2001-08-17 21:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
      2007-12-25 14:51 . 2001-09-06 21:26 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
      2007-12-25 14:50 . 2001-09-06 19:54 634,198 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
      2007-12-25 14:49 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
      2007-12-25 14:48 . 2001-09-06 18:59 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
      2007-12-25 14:47 . 2001-09-06 21:26 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
      2007-12-25 14:46 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
      2007-12-25 14:45 . 2001-09-06 19:52 1,902,592 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
      2007-12-25 14:45 . 2001-09-06 21:26 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
      2007-12-23 14:46 . 2007-12-23 14:46 <DIR> d-------- C:\Westwood
      2007-12-22 19:39 . 2007-12-22 19:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
      2007-12-19 19:32 . 2007-12-19 19:32 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Media Player Classic

      .
      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-01-08 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
      2008-01-08 16:28 --------- d-----w C:\Program Files\Common Files\Adobe
      2008-01-06 18:38 --------- d-----w C:\Program Files\Messenger Plus! Live
      2007-12-28 14:28 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Vso
      2007-12-27 17:44 --------- d-----w C:\Program Files\MSN Messenger
      2007-12-16 17:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
      2007-12-16 17:58 --------- d-----w C:\Program Files\Windows Live
      2007-12-14 11:54 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Apple Computer
      2007-12-14 11:51 --------- d-----w C:\Program Files\QuickTime
      2007-12-14 11:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
      2007-12-11 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
      2007-12-09 17:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk
      2007-12-06 14:26 --------- d-----w C:\Program Files\Photodex Presenter
      2007-12-06 14:26 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Netscape
      2007-12-03 17:04 --------- d-----w C:\Program Files\hp deskjet 3320 series
      2007-12-03 17:02 --------- d-----w C:\Program Files\Hewlett-Packard
      2007-12-02 13:17 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Nero
      2007-12-02 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
      2007-12-01 18:12 --------- d-----w C:\Program Files\SpywareGuard
      2007-12-01 18:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
      2007-12-01 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
      2007-12-01 16:59 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\DivX
      2007-12-01 16:56 --------- d-----w C:\Program Files\Java
      2007-11-30 18:35 --------- d-----w C:\Program Files\Common Files\Java
      2007-11-26 20:24 --------- d-----w C:\Documents and Settings\Dekker\Application Data\Vso
      2007-11-17 16:18 --------- d--h--r C:\Documents and Settings\Dekker\Application Data\SecuROM
      2007-11-13 18:34 47,360 ----a-w C:\Documents and Settings\Dekker\Application Data\pcouffin.sys
      .

      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
      "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
      "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
      "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
      "nod32kui"="G:\Program Files\Eset\nod32kui.exe" [2008-01-01 18:23 950664]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
      Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\ddcyx.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
      --a------ 2002-11-04 00:07 188416 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
      --a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBKeyScan.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
      --a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

      R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2006-12-20 07:00]
      S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\System32\1365.tmp

      *Newly Created Service* - ALG
      *Newly Created Service* - IPNAT
      *Newly Created Service* - RASAUTO
      *Newly Created Service* - RASMAN
      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-01-17 17:20:30
      Windows 5.1.2600 NTFS

      scannen van verborgen processen ...

      scannen van verborgen autostart items ...

      scannen van verborgen bestanden ...

      Scan succesvol afgerond
      verborgen bestanden: 0

      **************************************************************************
      .
      Voltooingstijd: 2008-01-17 17:24:07 - machine was rebooted
      ComboFix-quarantined-files.txt 2008-01-17 16:24:02
      .
      2008-01-16 15:59:03 --- E O F ---

      Comment


      • #4
        Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd

        Download de bijlage: CFScript.txt

        Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



        Dit zal ComboFix doen herstarten.
        Start opnieuw op als daarom gevraagd wordt,
        en post de inhoud van de Combofix.txt in je volgende antwoord.
        Bijgevoegde Bestanden

        Comment


        • #5
          Log:

          ComboFix 08-01-17.5 - Administrator 2008-01-17 18:01:44.2 - NTFSx86
          Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.79 [GMT 1:00]
          Gestart vanuit: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\ComboFix.exe
          Command switches used :: C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Bureaublad\cfscript.txt
          * Nieuw herstelpunt werd aangemaakt

          WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

          FILE
          C:\WINDOWS\system32\egjlm.ini
          C:\WINDOWS\system32\ghkmp.ini
          C:\WINDOWS\system32\gjkkj.ini
          C:\WINDOWS\system32\mlnmp.ini
          C:\WINDOWS\system32\tttss.ini
          .

          (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          C:\WINDOWS\system32\egjlm.ini
          C:\WINDOWS\system32\ghkmp.ini
          C:\WINDOWS\system32\gjkkj.ini
          C:\WINDOWS\system32\mlnmp.ini
          C:\WINDOWS\system32\tttss.ini

          .
          (((((((((((((((((((( Bestanden Gemaakt van 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))
          .

          2008-01-17 17:12 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
          2008-01-17 16:17 . 2007-12-23 00:07 194 --ahs---- C:\BOOT.BAK
          2008-01-13 19:09 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
          2008-01-13 19:09 . 2003-03-19 07:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
          2008-01-13 19:09 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
          2008-01-13 13:12 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
          2008-01-13 13:12 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
          2008-01-13 13:12 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
          2008-01-13 13:12 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
          2008-01-13 13:12 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
          2008-01-13 13:10 . 1996-10-17 21:45 32,388 --a------ C:\WINDOWS\system\Comic.ttf
          2008-01-13 13:10 . 1997-02-06 18:29 14 --a------ C:\WINDOWS\Comic.prf
          2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Shareaza
          2008-01-11 18:02 . 2008-01-11 18:02 <DIR> d-------- C:\Program Files\Shareaza Applications
          2008-01-08 17:36 . 2008-01-17 17:59 <DIR> dr-h----- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Onlangs geopend
          2008-01-02 22:32 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\Belastingdienst
          2008-01-01 18:26 . 2008-01-01 18:23 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
          2008-01-01 18:26 . 2008-01-01 18:23 299,392 --a------ C:\WINDOWS\system32\imon.dll
          2008-01-01 18:26 . 2008-01-01 18:23 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
          2007-12-30 20:56 . 2008-01-10 10:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
          2007-12-30 20:56 . 2007-12-30 20:56 1,409 --a------ C:\WINDOWS\QTFont.for
          2007-12-27 20:39 . 2006-06-27 05:40 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe
          2007-12-27 20:39 . 2006-06-27 05:40 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll
          2007-12-27 20:14 . 2008-01-01 19:39 320 --ahs---- C:\WINDOWS\system32\nmllm.ini
          2007-12-25 15:01 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
          2007-12-25 15:00 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
          2007-12-25 14:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
          2007-12-25 14:58 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
          2007-12-25 14:57 . 2001-09-06 19:53 1,874,432 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
          2007-12-25 14:56 . 2001-08-17 22:06 47,616 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
          2007-12-25 14:56 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
          2007-12-25 14:56 . 2001-08-17 21:51 20,096 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
          2007-12-25 14:56 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
          2007-12-25 14:56 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
          2007-12-25 14:56 . 2001-08-17 21:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
          2007-12-25 14:56 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
          2007-12-25 14:56 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
          2007-12-25 14:56 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
          2007-12-25 14:54 . 2001-09-06 21:27 100,864 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
          2007-12-25 14:53 . 2001-09-06 21:26 585,344 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
          2007-12-25 14:52 . 2001-08-17 21:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
          2007-12-25 14:51 . 2001-09-06 21:26 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
          2007-12-25 14:50 . 2001-09-06 19:54 634,198 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
          2007-12-25 14:49 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
          2007-12-25 14:48 . 2001-09-06 18:59 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
          2007-12-25 14:47 . 2001-09-06 21:26 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
          2007-12-25 14:46 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
          2007-12-25 14:45 . 2001-09-06 19:52 1,902,592 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
          2007-12-25 14:45 . 2001-09-06 21:26 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
          2007-12-23 14:46 . 2007-12-23 14:46 <DIR> d-------- C:\Westwood
          2007-12-22 19:39 . 2007-12-22 19:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
          2007-12-19 19:32 . 2007-12-19 19:32 <DIR> d-------- C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Media Player Classic

          .
          ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2008-01-08 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
          2008-01-08 16:28 --------- d-----w C:\Program Files\Common Files\Adobe
          2008-01-06 18:38 --------- d-----w C:\Program Files\Messenger Plus! Live
          2007-12-28 14:28 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Vso
          2007-12-27 17:44 --------- d-----w C:\Program Files\MSN Messenger
          2007-12-16 17:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
          2007-12-16 17:58 --------- d-----w C:\Program Files\Windows Live
          2007-12-14 11:54 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Apple Computer
          2007-12-14 11:51 --------- d-----w C:\Program Files\QuickTime
          2007-12-14 11:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
          2007-12-11 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
          2007-12-09 17:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk
          2007-12-06 14:26 --------- d-----w C:\Program Files\Photodex Presenter
          2007-12-06 14:26 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Netscape
          2007-12-03 17:04 --------- d-----w C:\Program Files\hp deskjet 3320 series
          2007-12-03 17:02 --------- d-----w C:\Program Files\Hewlett-Packard
          2007-12-02 13:17 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\Nero
          2007-12-02 13:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
          2007-12-01 18:12 --------- d-----w C:\Program Files\SpywareGuard
          2007-12-01 18:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
          2007-12-01 18:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
          2007-12-01 16:59 --------- d-----w C:\Documents and Settings\Administrator.DEKKER-ONFCVDHE\Application Data\DivX
          2007-12-01 16:56 --------- d-----w C:\Program Files\Java
          2007-11-30 18:35 --------- d-----w C:\Program Files\Common Files\Java
          2007-11-26 20:24 --------- d-----w C:\Documents and Settings\Dekker\Application Data\Vso
          2007-11-17 16:18 --------- d--h--r C:\Documents and Settings\Dekker\Application Data\SecuROM
          2007-11-13 18:34 47,360 ----a-w C:\Documents and Settings\Dekker\Application Data\pcouffin.sys
          .

          ((((((((((((((((((((((((((((( [email protected]_17.23.50.04 )))))))))))))))))))))))))))))))))))))))))
          .
          - 2008-01-17 16:12:37 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
          + 2008-01-17 17:01:32 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
          - 2008-01-17 16:12:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
          + 2008-01-17 17:01:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
          - 2008-01-17 16:12:38 3,186,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
          + 2008-01-17 17:01:33 3,194,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
          + 2008-01-17 17:01:33 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\ntuser.dat
          + 2008-01-17 17:01:33 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\UsrClass.dat
          - 2008-01-17 16:12:38 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
          + 2008-01-17 17:01:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
          - 2007-12-01 16:19:07 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
          + 2008-01-17 16:22:28 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
          - 2007-12-01 16:19:07 53,418 ----a-w C:\WINDOWS\system32\perfc013.dat
          + 2008-01-17 16:22:28 53,418 ----a-w C:\WINDOWS\system32\perfc013.dat
          - 2007-12-01 16:19:07 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
          + 2008-01-17 16:22:28 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
          - 2007-12-01 16:19:07 364,330 ----a-w C:\WINDOWS\system32\perfh013.dat
          + 2008-01-17 16:22:28 364,330 ----a-w C:\WINDOWS\system32\perfh013.dat
          .
          ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          REGEDIT4
          *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
          "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
          "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22 7700480]
          "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
          "nod32kui"="G:\Program Files\Eset\nod32kui.exe" [2008-01-01 18:23 950664]

          [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
          "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
          --a------ 2002-11-04 00:07 188416 C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
          --a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero 8\Nero BackItUp\NBKeyScan.exe

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
          --a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

          R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys [2006-12-20 07:00]
          S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\System32\1365.tmp

          .
          **************************************************************************

          catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2008-01-17 19:56:55
          Windows 5.1.2600 NTFS

          scannen van verborgen processen ...

          scannen van verborgen autostart items ...

          scannen van verborgen bestanden ...

          Scan succesvol afgerond
          verborgen bestanden: 0

          **************************************************************************
          .
          Voltooingstijd: 2008-01-17 20:00:58 - machine was rebooted [Administrator]
          ComboFix-quarantined-files.txt 2008-01-17 19:00:54
          ComboFix2.txt 2008-01-17 16:24:07
          .
          2008-01-16 15:59:03 --- E O F ---


          En ik heb bij het opstarten last van kiezen tussen "windows xp" en "windows xp setup" heb even rondgekeken en dit gevonden: http://www.pchelper.nl/forum/index.php?showtopic=51315&mode=linear Kan ik gewoon doen?

          Comment


          • #6
            Ja dat mag je wel doen.

            Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
            Dit zal alles van RVAXO doen verwijderen.

            Verwijder de volgende map:
            C:\Qoobox

            Maak dan je prullenbak leeg.

            Download ATF cleaner (mirror)(gemaakt door Atribune)

            Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

            Dubbelklik op ATF cleaner om het programma te starten.
            Op het tabblad "Main", plaats je een vinkje bij Select All.
            Klik op de knop Empty Selected.

            Het volgende doen als je ook FireFox als browser hebt:
            Klik op tabblad "Firefox", plaats een vinkje bij Select All.
            Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
            (dit haalt het vinkje weer weg bij "Firefox saved passwords")
            Klik op de knop Empty Selected.

            Het volgende doen als je ook Opera als browser hebt:
            Klik op tabblad "Opera", plaats een vinkje bij Select All.
            Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
            Klik op de knop Empty Selected.
            Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

            Ga naar Start - Uitvoeren en geef hier het volgende in:
            Combofix /U
            Druk daarna op OK.
            Let op: Er moet een spatie tussen Combofix en /U zitten.

            Dit zal Combofix deïnstalleren.

            Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
            Kijk hier hoe je je systeemherstel moet uitschakelen.
            Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

            Dan denk ik dat we klaar zijn

            Comment


            • #7
              Mijn Boot.ini zegt:

              [Boot Loader]
              Timeout=5
              Default=C:\$WIN_NT$.~BT\BOOTSECT.DAT
              [Operating Systems]
              multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
              C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

              Op die site hebben ze:

              [boot loader]
              timeout=30
              default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
              [operating systems]
              multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn


              Moet het in zijn geheel vervangen?
              (even voor de zekerheid voor mij straks doe ik wat verkeerd en start de computer helemaal niet meer :P)

              Comment


              • #8
                Die van jouw wijkt wat af, misschien kan je het beter hier even vragen:

                Comment


                • #9
                  Oké, zal ik doen.
                  Ik heb een scan met ad-aware uitgevoerd, alles is weg
                  Heel erg bedankt!!

                  Comment


                  • #10
                    Graag gedaan hoor, fijn dat het allemaal gelukt is

                    Groeten smeenk

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X