Mededeling

Collapse
No announcement yet.

MSserver in opstartregister wil niet weg

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • MSserver in opstartregister wil niet weg

    Hallo,

    Ik heb opeens sinds vandaag dat MSserver in het opstartregister staat en als ik dit verwijder komt het direct terug. Iemand een idee hoe dit te verwijderen?
    (zie O4: cbxwwwu.dll )

    ***Update: met vundofix heb ik dit bestand gevonden en het laten verwijderen. Bij de herstart heb ik msserver uit het opstartmenu gehaald en hij komt daar niet terug. Maar nu zegt spywareDoctor practisch elke seconde dat er een programma weer iets probeert toe te voegen aan het register.
    "Winlogon.exe attempting to write to the registru. Path: Hkey..blabla..windows\currentversion\Run, MSServer="run dll32.exe C:\windows\system32\awtss.dll
    Heb de nieuwste HJlog bovenaan gezet.
    ps.virtumondobegone vind niks, terwijl het volgens spydoctor om zo'n trojan gaat
    ***

    Alvast bedankt,



    Nieuw HJLog

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:45, on 2008-01-31
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16575)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Gmail Notifier\gnotify.exe
    C:\Windows\system32\svchost.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\Windows\system32\msconfig.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Gebruiker\Desktop\HiJackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ibnbattuta.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Gmail Notifier\gnotify.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

    --
    End of file - 6017 bytes


    ******

    Oude HJlog

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:55, on 2008-01-31
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16575)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Gmail Notifier\gnotify.exe
    C:\Windows\system32\svchost.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\mobsync.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Gebruiker\Desktop\VundoFix.exe
    C:\Users\Gebruiker\Desktop\HiJackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ibnbattuta.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbxwwwu.dll,#1
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Gmail Notifier\gnotify.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

    --
    End of file - 6217 bytes
    Last edited by JeroenVeerman; 31-01-08, 13:50.

  • #2
    Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Plaats het op je bureaublad.
    Dubbelklik er op om het programma te starten.
    In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
    Volg de instructies op het scherm.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

    Comment


    • #3
      deze versie van combofix wordt door én MacAfee én spywaredoctor als onveilig beschouwd, MacAfee toe laten staan dat het programma wordt gerund en spywaredoctor maar even afsluiten ook al blokkeert het dus steeds dat ene programma?

      Comment


      • #4
        Doe maar. Met ComboFix is niets mis.

        Comment


        • #5
          Ik zag hem die awtss verwijderen en nog een bestandje, hier het logje en nog een HJlogje.

          ***Combogix***
          ComboFix 08-01-31.4 - Gebruiker 2008-01-31 14:05:53.1 - NTFSx86
          Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1246 [GMT 1:00]
          Gestart vanuit: C:\Users\Gebruiker\Desktop\ComboFix.exe
          * Nieuw herstelpunt werd aangemaakt
          .

          (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          C:\Windows\system32\awtss.dll
          C:\Windows\system32\geede.dll

          .
          (((((((((((((((((((( Bestanden Gemaakt van 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))
          .

          Geen nieuwe bestanden aangemaakt in deze periode

          .
          ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2008-01-31 12:59 --------- d---a-w C:\ProgramData\TEMP
          2008-01-31 12:00 --------- d-----w C:\Program Files\FrostWire
          2008-01-31 11:32 --------- d-----w C:\Program Files\Java
          2008-01-31 11:31 --------- d-----w C:\Program Files\Common Files\Java
          2008-01-31 11:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
          2008-01-31 11:10 --------- d-----w C:\Program Files\Spyware Doctor
          2008-01-30 23:14 --------- d-----w C:\Program Files\Hitman Pro
          2008-01-30 22:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
          2008-01-30 21:02 --------- d-----w C:\Program Files\SpywareBlaster
          2008-01-30 19:52 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\PC Tools
          2008-01-30 19:46 164 ----a-w C:\install.dat
          2008-01-30 19:34 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\FrostWire
          2008-01-30 18:15 --------- d-----w C:\Program Files\MP3Gain
          2008-01-30 18:11 --------- d-----w C:\Program Files\EasyCleaner
          2008-01-30 18:03 --------- d-----w C:\Program Files\CCleaner
          2008-01-26 13:49 --------- d-----w C:\Program Files\Firaxis Games
          2008-01-26 13:47 --------- d-----w C:\Program Files\Common Files\InstallShield
          2008-01-26 13:46 --------- d-----w C:\Program Files\EA Games
          2008-01-25 23:11 --------- d-----w C:\Program Files\DivX
          2008-01-25 23:11 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
          2008-01-25 22:38 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\BitTorrent
          2008-01-25 00:47 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\DAEMON Tools
          2008-01-25 00:47 --------- d-----w C:\Program Files\DAEMON Tools Lite
          2008-01-25 00:43 716,272 ----a-w C:\Windows\system32\drivers\sptd.sys
          2008-01-24 23:45 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\Image Zone Express
          2008-01-23 11:23 102,664 ----a-w C:\Windows\system32\drivers\tmcomm.sys
          2008-01-23 00:01 --------- d-----w C:\ProgramData\Prevx
          2008-01-22 23:11 --------- d-----w C:\ProgramData\Uniblue
          2008-01-22 15:08 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\SmartDraw
          2008-01-22 12:38 --------- d-----w C:\Program Files\Winamp
          2008-01-10 14:30 --------- d-----w C:\Program Files\Windows Sidebar
          2008-01-10 14:30 --------- d-----w C:\Program Files\Windows Mail
          2008-01-10 14:17 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
          2008-01-10 14:17 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
          2008-01-10 14:15 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
          2008-01-10 14:15 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
          2008-01-10 14:15 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
          2008-01-10 14:15 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
          2008-01-10 14:15 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
          2008-01-10 14:15 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
          2008-01-10 14:15 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
          2008-01-10 14:15 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
          2008-01-10 14:15 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
          2008-01-10 14:15 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
          2008-01-10 14:15 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
          2008-01-09 16:29 --------- d-----w C:\ProgramData\SecTaskMan
          2008-01-09 14:01 53,248 ----a-w C:\Windows\bdoscandel.exe
          2008-01-06 16:25 --------- d-----w C:\ProgramData\Microsoft Help
          2007-12-22 12:07 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\DivX
          2007-12-21 16:56 --------- d-----w C:\Program Files\MSN Messenger
          2007-12-21 16:56 --------- d-----w C:\Program Files\Messenger Plus! Live
          2007-12-18 15:32 --------- d-----w C:\Program Files\BitTorrent
          2007-12-13 16:05 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
          2007-12-13 16:04 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
          2007-12-13 16:04 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
          2007-12-13 16:04 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
          2007-12-13 16:04 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
          2007-12-10 13:53 81,288 ----a-w C:\Windows\system32\drivers\iksyssec.sys
          2007-12-10 13:53 66,952 ----a-w C:\Windows\system32\drivers\iksysflt.sys
          2007-12-10 13:53 41,864 ----a-w C:\Windows\system32\drivers\ikfilesec.sys
          2007-12-10 13:53 29,576 ----a-w C:\Windows\system32\drivers\kcom.sys
          2007-12-08 13:30 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
          2007-12-05 21:50 --------- d-----w C:\Program Files\Rome - Total War
          2007-12-02 21:55 --------- d-----w C:\Program Files\Black Isle
          2007-11-14 19:08 2,923,520 ----a-w C:\Windows\explorer.exe
          2007-08-29 11:45 174 --sha-w C:\Program Files\desktop.ini
          .

          ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          REGEDIT4
          *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 15:15 1232896]
          "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 10:45 222208]

          C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
          Gmail Notifier.lnk - C:\Program Files\Gmail Notifier\gnotify.exe [2005-07-15 22:48:33 479232]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
          "ConsentPromptBehaviorAdmin"= 0 (0x0)
          "EnableLUA"= 0 (0x0)

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
          "DisableChangePassword"= 1 (0x1)
          "DisableLockWorkstation"= 1 (0x1)

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
          "NoStartMenuMyGames"= 0 (0x0)
          "NoSMBalloonTip"= 1 (0x1)
          "NoLogoff"= 0 (0x0)

          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
          "{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}"= C:\Windows\system32\awtss.dll [ ]

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
          --a------ 2008-01-24 13:21 587568 C:\Program Files\BitTorrent\bittorrent.exe

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
          C:\Windows\system32\awtss.dll

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
          --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
          HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
          hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571b1b97-cb1d-11dc-80ee-00196621c230}]
          \shell\AutoRun\command - I:\autorun.exe

          .
          Inhoud van de 'Gedeelde Taken' map
          "2007-07-06 12:19:36 C:\Windows\Tasks\McDefragTask.job"
          - C:\Windows\system32\Defrag.exe
          "2007-11-01 00:00:06 C:\Windows\Tasks\McQcTask.job"
          - c:\program files\mcafee\mqc\QcConsol.exe
          .
          **************************************************************************

          catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2008-01-31 14:12:01
          Windows 6.0.6000 NTFS

          scannen van verborgen processen ...

          scannen van verborgen autostart items ...

          scannen van verborgen bestanden ...

          Scan succesvol afgerond
          verborgen bestanden: 0

          **************************************************************************
          .
          ------------------------ Other Running Processes ------------------------
          .
          c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
          C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
          C:\Program Files\McAfee\MPF\MPFSrv.exe
          C:\Windows\system32\WUDFHost.exe
          C:\Windows\system32\conime.exe
          C:\Program Files\Windows Sidebar\sidebar.exe
          C:\Program Files\Gmail Notifier\gnotify.exe
          C:\Program Files\Windows Sidebar\sidebar.exe
          C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
          C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
          c:\program files\common files\mcafee\mna\mcnasvc.exe
          c:\PROGRA~1\mcafee.com\agent\mcagent.exe
          .
          **************************************************************************
          .
          Voltooingstijd: 2008-01-31 14:14:33 - machine was rebooted
          ComboFix-quarantined-files.txt 2008-01-31 13:14:26
          .
          2008-01-30 11:53:25 --- E O F ---


          ***HJthis***
          Logfile of Trend Micro HijackThis v2.0.2
          Scan saved at 14:15, on 2008-01-31
          Platform: Windows Vista (WinNT 6.00.1904)
          MSIE: Internet Explorer v7.00 (7.00.6000.16575)
          Boot mode: Normal

          Running processes:
          C:\Windows\system32\taskeng.exe
          C:\Windows\system32\Dwm.exe
          C:\Windows\Explorer.EXE
          C:\Windows\system32\conime.exe
          C:\Program Files\Windows Sidebar\sidebar.exe
          C:\Program Files\Gmail Notifier\gnotify.exe
          C:\Program Files\Windows Sidebar\sidebar.exe
          c:\PROGRA~1\mcafee.com\agent\mcagent.exe
          C:\Windows\system32\notepad.exe
          C:\Program Files\Mozilla Firefox\firefox.exe
          C:\Users\Gebruiker\Desktop\HiJackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ibnbattuta.nl/
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
          O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
          O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
          O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
          O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
          O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
          O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
          O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
          O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
          O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Gmail Notifier\gnotify.exe
          O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
          O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
          O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
          O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
          O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
          O13 - Gopher Prefix:
          O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
          O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
          O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
          O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
          O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
          O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
          O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
          O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
          O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
          O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
          O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
          O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

          --
          End of file - 4595 bytes

          Comment


          • #6
            Open een kladblokbestand.
            Kopieer de ondestaande code, en plak deze in het kladblokbestand.
            Sla het kladblokbestand op als CFScript.txt
            Code:
            Registry::
            [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
            "{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}"=-
            
            [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
            Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

            ComboFix zal opnieuw starten.
            Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
            Post de inhoud van de logfile.

            Zijn er nog problemen?

            Comment


            • #7
              Hier is het logje, het bestand komt niet meer voor in de startup. maar ik zie hem wel genoemd worden in het logje, of klopt dat wel?
              Zoja, Dan is alles goed!

              ComboFix 08-01-31.4 - Gebruiker 2008-01-31 15:59:44.2 - NTFSx86
              Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1382 [GMT 1:00]
              Gestart vanuit: C:\Users\Gebruiker\Desktop\ComboFix.exe
              Command switches used :: C:\Users\Gebruiker\Desktop\CFScript.txt
              * Nieuw herstelpunt werd aangemaakt
              .

              (((((((((((((((((((( Bestanden Gemaakt van 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))
              .

              Geen nieuwe bestanden aangemaakt in deze periode

              .
              ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2008-01-31 14:45 --------- d---a-w C:\ProgramData\TEMP
              2008-01-31 12:30 24,576 ----a-w C:\Windows\System32\VundoFixSVC.exe
              2008-01-31 12:00 --------- d-----w C:\Program Files\FrostWire
              2008-01-31 11:32 --------- d-----w C:\Program Files\Java
              2008-01-31 11:31 --------- d-----w C:\Program Files\Common Files\Java
              2008-01-31 11:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
              2008-01-31 11:10 --------- d-----w C:\Program Files\Spyware Doctor
              2008-01-30 23:14 --------- d-----w C:\Program Files\Hitman Pro
              2008-01-30 22:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
              2008-01-30 21:02 --------- d-----w C:\Program Files\SpywareBlaster
              2008-01-30 19:52 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\PC Tools
              2008-01-30 19:46 164 ----a-w C:\install.dat
              2008-01-30 19:34 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\FrostWire
              2008-01-30 18:15 --------- d-----w C:\Program Files\MP3Gain
              2008-01-30 18:11 --------- d-----w C:\Program Files\EasyCleaner
              2008-01-30 18:03 --------- d-----w C:\Program Files\CCleaner
              2008-01-26 13:49 --------- d-----w C:\Program Files\Firaxis Games
              2008-01-26 13:47 --------- d-----w C:\Program Files\Common Files\InstallShield
              2008-01-26 13:46 --------- d-----w C:\Program Files\EA Games
              2008-01-25 23:11 --------- d-----w C:\Program Files\DivX
              2008-01-25 23:11 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
              2008-01-25 22:38 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\BitTorrent
              2008-01-25 00:47 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\DAEMON Tools
              2008-01-25 00:47 --------- d-----w C:\Program Files\DAEMON Tools Lite
              2008-01-25 00:43 716,272 ----a-w C:\Windows\system32\drivers\sptd.sys
              2008-01-24 23:45 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\Image Zone Express
              2008-01-23 11:23 102,664 ----a-w C:\Windows\system32\drivers\tmcomm.sys
              2008-01-23 00:01 --------- d-----w C:\ProgramData\Prevx
              2008-01-22 23:11 --------- d-----w C:\ProgramData\Uniblue
              2008-01-22 15:08 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\SmartDraw
              2008-01-22 12:38 --------- d-----w C:\Program Files\Winamp
              2008-01-10 14:30 --------- d-----w C:\Program Files\Windows Sidebar
              2008-01-10 14:30 --------- d-----w C:\Program Files\Windows Mail
              2008-01-10 14:17 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
              2008-01-10 14:17 24,064 ----a-w C:\Windows\System32\netcfg.exe
              2008-01-10 14:17 22,016 ----a-w C:\Windows\System32\netiougc.exe
              2008-01-10 14:17 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
              2008-01-10 14:17 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
              2008-01-10 14:15 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
              2008-01-10 14:15 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
              2008-01-10 14:15 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
              2008-01-10 14:15 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
              2008-01-10 14:15 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
              2008-01-10 14:15 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
              2008-01-10 14:15 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
              2008-01-10 14:15 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
              2008-01-10 14:15 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
              2008-01-10 14:15 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
              2008-01-10 14:15 11,776 ----a-w C:\Windows\System32\sbunattend.exe
              2008-01-10 14:15 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
              2008-01-10 14:15 1,686,016 ----a-w C:\Windows\System32\gameux.dll
              2008-01-10 14:15 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
              2008-01-09 16:29 --------- d-----w C:\ProgramData\SecTaskMan
              2008-01-09 14:01 53,248 ----a-w C:\Windows\bdoscandel.exe
              2008-01-06 16:25 --------- d-----w C:\ProgramData\Microsoft Help
              2008-01-04 21:58 200,704 ----a-w C:\Windows\System32\ssldivx.dll
              2008-01-04 21:58 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
              2008-01-04 21:57 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
              2008-01-04 21:57 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
              2008-01-04 21:57 81,920 ----a-w C:\Windows\System32\dpl100.dll
              2008-01-04 21:57 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
              2008-01-04 21:57 682,496 ----a-w C:\Windows\System32\DivX.dll
              2008-01-04 21:57 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
              2008-01-04 21:57 57,344 ----a-w C:\Windows\System32\dpv11.dll
              2008-01-04 21:57 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
              2008-01-04 21:57 344,064 ----a-w C:\Windows\System32\dpus11.dll
              2008-01-04 21:57 294,912 ----a-w C:\Windows\System32\dpu11.dll
              2008-01-04 21:57 294,912 ----a-w C:\Windows\System32\dpu10.dll
              2008-01-04 21:57 196,608 ----a-w C:\Windows\System32\dtu100.dll
              2008-01-04 21:56 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
              2008-01-04 21:56 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
              2007-12-22 12:07 --------- d-----w C:\Users\Gebruiker\AppData\Roaming\DivX
              2007-12-21 16:56 --------- d-----w C:\Program Files\MSN Messenger
              2007-12-21 16:56 --------- d-----w C:\Program Files\Messenger Plus! Live
              2007-12-18 15:32 --------- d-----w C:\Program Files\BitTorrent
              2007-12-13 16:07 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
              2007-12-13 16:07 223,232 ----a-w C:\Windows\System32\WMASF.DLL
              2007-12-13 16:07 1,327,104 ----a-w C:\Windows\System32\quartz.dll
              2007-12-13 16:05 824,832 ----a-w C:\Windows\System32\wininet.dll
              2007-12-13 16:05 56,320 ----a-w C:\Windows\System32\iesetup.dll
              2007-12-13 16:05 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
              2007-12-13 16:05 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
              2007-12-13 16:04 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
              2007-12-13 16:04 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
              2007-12-13 16:04 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
              2007-12-13 16:04 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
              2007-12-13 16:03 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
              2007-12-13 16:03 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
              2007-12-11 22:34 129,784 ------w C:\Windows\System32\pxafs.dll
              2007-12-10 13:53 81,288 ----a-w C:\Windows\system32\drivers\iksyssec.sys
              2007-12-10 13:53 66,952 ----a-w C:\Windows\system32\drivers\iksysflt.sys
              2007-12-10 13:53 41,864 ----a-w C:\Windows\system32\drivers\ikfilesec.sys
              2007-12-10 13:53 29,576 ----a-w C:\Windows\system32\drivers\kcom.sys
              2007-12-08 13:30 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
              2007-12-05 21:50 --------- d-----w C:\Program Files\Rome - Total War
              2007-12-02 21:55 --------- d-----w C:\Program Files\Black Isle
              2007-11-14 19:08 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
              2007-11-14 19:08 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
              2007-11-14 19:08 542,720 ----a-w C:\Windows\System32\sysmain.dll
              2007-11-14 19:08 502,784 ----a-w C:\Windows\System32\wlansvc.dll
              .

              ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              REGEDIT4
              *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 15:15 1232896]
              "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]

              C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
              Gmail Notifier.lnk - C:\Program Files\Gmail Notifier\gnotify.exe [2005-07-15 22:48:33 479232]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
              "ConsentPromptBehaviorAdmin"= 0 (0x0)
              "EnableLUA"= 0 (0x0)

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
              "DisableChangePassword"= 1 (0x1)
              "DisableLockWorkstation"= 1 (0x1)

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
              "NoStartMenuMyGames"= 0 (0x0)
              "NoSMBalloonTip"= 1 (0x1)
              "NoLogoff"= 0 (0x0)

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
              --a------ 2008-01-24 13:21 587568 C:\Program Files\BitTorrent\bittorrent.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
              C:\Windows\system32\awtss.dll

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
              --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
              HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
              hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571b1b97-cb1d-11dc-80ee-00196621c230}]
              \shell\AutoRun\command - I:\autorun.exe

              .
              Inhoud van de 'Gedeelde Taken' map
              "2007-07-06 12:19:36 C:\Windows\Tasks\McDefragTask.job"
              - C:\Windows\system32\Defrag.exe
              "2007-11-01 00:00:06 C:\Windows\Tasks\McQcTask.job"
              - c:\program files\mcafee\mqc\QcConsol.exe
              .
              **************************************************************************

              catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2008-01-31 16:03:47
              Windows 6.0.6000 NTFS

              scannen van verborgen processen ...

              scannen van verborgen autostart items ...

              scannen van verborgen bestanden ...

              Scan succesvol afgerond
              verborgen bestanden: 0

              **************************************************************************
              .
              Voltooingstijd: 2008-01-31 16:05:42
              ComboFix-quarantined-files.txt 2008-01-31 15:05:32
              ComboFix2.txt 2008-01-31 13:14:33
              .
              2008-01-30 11:53:25 --- E O F ---

              Comment


              • #8
                Welk bestand bedoel je?

                Zijn er nog problemen?

                Comment


                • #9
                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
                  C:\Windows\system32\awtss.dll

                  Die staat in het Combo logje, maar ik heb er geen problemen meer mee..

                  Comment


                  • #10
                    Oorspronkelijk geplaatst door Marckie Bekijk Berichten
                    Open een kladblokbestand.
                    Kopieer de ondestaande code, en plak deze in het kladblokbestand.
                    Sla het kladblokbestand op als CFScript.txt
                    Code:
                    Registry::
                    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
                    "{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}"=-
                    
                    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
                    Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

                    ComboFix zal opnieuw starten.
                    Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
                    Post de inhoud van de logfile.

                    Zijn er nog problemen?
                    Voer dit opnieuw uit, dat zou de sleutel moeten verwijderen.

                    Comment


                    • #11
                      Ik heb volgens mij iets te veel lopen kloten met combofix, want die werkt niet helemaal correct meer. Maar het bestand wordt in ieder geval niet meer opgestart en ik krijg dus ook geen spyware waarschuwingen meer van mijn programma's. Dus ik laat het hier maar bij en verwijder combofix weer.
                      Iig weer erg bedankt!

                      Comment


                      • #12
                        Ga naar Start - Uitvoeren en tik in: ComboFix /u
                        Druk op Enter.

                        Dat verwijdert ComboFix.

                        Je kan het eventueel opnieuw downloaden en dan een nieuw logje posten.

                        Comment


                        • #13
                          ik heb de boel handmatig maar is verwijderd en nog een keer gedraaid en nu is alles echt weg, toppie!

                          Comment


                          • #14
                            Dan sluiten we af.

                            Als ik jou was, dan zou ik zeker zorgen dat gebruikersaccountbeheer ingeschakeld is op Vista. Dit maakt de computer veiliger.
                            Om het weer in te schakelen doe je dit:
                            Open een kladblokbestand.
                            Kopieer onderstaande code in dit kladblokbestand.
                            Ga naar Bestand - Opslaan als.
                            Bij "Opslaan in" kies je: Bureaublad
                            Bij "Bestandsnaam" zet je: fix.reg
                            Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
                            Klik op de knop Opslaan.
                            Code:
                            REGEDIT4
                            
                            [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
                            "ConsentPromptBehaviorAdmin"=dword:00000002
                            "EnableLUA"=dword:00000001
                            Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.

                            Herstart de computer.


                            Best dat je nog even alle bestaande systeemherstelpunten wist:
                            Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                            Systeemherstel uitschakelen.

                            Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.

                            De status van deze thread zet ik op opgelost.
                            Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk. Dit om het forum netjes en overzichtelijk te houden.
                            Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.

                            Happy surfing again.
                            Last edited by Marckie; 02-02-08, 10:45.

                            Comment

                            Sorry, you are not authorized to view this page
                            Working...
                            X