Mededeling

Collapse
No announcement yet.

Browser hijack? Advanced Cleaner

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Browser hijack? Advanced Cleaner

    Hoi ik krijg nu steeds browsers met porno e.d in beeld volgens mij van Advanced Cleaner

    Hier mijn logje

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:34:15, on 4-2-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\Common Files\SchijfBewaker\strpmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SchijfBewaker\strpmon.exe" dm=http://schijfbewaker.com ad=http://schijfbewaker.com sd=http://inlog.schijfbewaker.com
    O4 - HKLM\..\Run: [40149afb] rundll32.exe "C:\WINDOWS\system32\cupoaywt.dll",b
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\TLC Domus\PrintMaster\Pmremind.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196714576045
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    --
    End of file - 5480 bytes

  • #2
    Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SchijfBewaker\strpmon.exe" dm=http://schijfbewaker.com ad=http://schijfbewaker.com sd=http://inlog.schijfbewaker.com
    O4 - HKLM\..\Run: [40149afb] rundll32.exe "C:\WINDOWS\system32\cupoaywt.dll",b


    Klik daarna op "Fix checked" en sluit HijackThis af.


    Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden
    Volg de instructies die daar gegeven worden. Is er iets niet duidelijk, dan vraag je het.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

    Comment


    • #3
      ComboFix 08-02.03.1 - MIMPIE_DENISE 2008-02-04 13:20:08.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.671 [GMT 1:00]
      Gestart vanuit: C:\Documents and Settings\MIMPIE_DENISE\Bureaublad\ComboFix.exe
      * Nieuw herstelpunt werd aangemaakt

      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
      .

      (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\Documents and Settings\MIMPIE_DENISE\Application Data\inst.exe
      C:\WINDOWS\cookies.ini
      C:\WINDOWS\system32\amtossok.dll
      C:\WINDOWS\system32\avknbmpr.ini
      C:\WINDOWS\system32\buwxfaqu.ini
      C:\WINDOWS\system32\bvonqgnj.ini
      C:\WINDOWS\system32\cupoaywt.dll
      C:\WINDOWS\system32\dcoifhbk.ini
      C:\WINDOWS\system32\ddeeg.ini
      C:\WINDOWS\system32\ddeeg.ini2
      C:\WINDOWS\system32\doniukjx.ini
      C:\WINDOWS\system32\dqyefran.ini
      C:\WINDOWS\system32\drlgmuvm.ini
      C:\WINDOWS\system32\eypjyede.ini
      C:\WINDOWS\system32\fuwvdvdf.ini
      C:\WINDOWS\system32\ijuurmud.ini
      C:\WINDOWS\system32\inghmtbp.dll
      C:\WINDOWS\system32\itwlnvxr.dll
      C:\WINDOWS\system32\jbnjupyy.ini
      C:\WINDOWS\system32\kaaqjaso.ini
      C:\WINDOWS\system32\kpnvkgid.ini
      C:\WINDOWS\system32\mcrh.tmp
      C:\WINDOWS\system32\nmbrfjpx.ini
      C:\WINDOWS\system32\qgthrkfy.ini
      C:\WINDOWS\system32\qkllnpdk.ini
      C:\WINDOWS\system32\raiqxptt.dll
      C:\WINDOWS\system32\rkhuasrh.dll
      C:\WINDOWS\system32\rsvuyxjx.ini
      C:\WINDOWS\system32\sjecnirj.ini
      C:\WINDOWS\system32\sxgbrkgr.dll
      C:\WINDOWS\system32\tciisrsg.ini
      C:\WINDOWS\system32\tpotmpxs.dll
      C:\WINDOWS\system32\tujdcuvo.ini
      C:\WINDOWS\system32\twtfxvgi.dll
      C:\WINDOWS\system32\twyaopuc.ini
      C:\WINDOWS\system32\urutdqbi.ini
      C:\WINDOWS\system32\xjkuinod.dll
      C:\WINDOWS\system32\xjxyuvsr.dll
      C:\WINDOWS\system32\xuhaswko.ini
      C:\WINDOWS\system32\ylshebmf.ini

      .
      (((((((((((((((((((( Bestanden Gemaakt van 2008-01-04 to 2008-02-04 ))))))))))))))))))))))))))))))
      .

      2008-02-04 13:29 . 2008-02-04 13:31 6,370 --ahs---- C:\WINDOWS\system32\ddeeg.ini
      2008-02-04 12:33 . 2008-02-04 12:33 <DIR> d-------- C:\Program Files\Trend Micro
      2008-01-23 03:55 . 2008-01-23 03:55 244 --ah----- C:\sqmnoopt10.sqm
      2008-01-23 03:55 . 2008-01-23 03:55 232 --ah----- C:\sqmdata10.sqm
      2008-01-22 18:34 . 2008-01-22 18:34 8,192 --ahs---- C:\WINDOWS\Thumbs.db
      2008-01-22 18:34 . 2008-01-22 18:34 5,632 --ahs---- C:\WINDOWS\system32\Thumbs.db
      2008-01-22 05:34 . 2008-01-22 05:34 244 --ah----- C:\sqmnoopt09.sqm
      2008-01-22 05:34 . 2008-01-22 05:34 232 --ah----- C:\sqmdata09.sqm
      2008-01-11 23:56 . 2008-01-11 23:56 <DIR> d-------- C:\Documents and Settings\MIMPIE_DENISE\Application Data\schijfbewaker
      2008-01-11 23:51 . 2008-01-11 23:51 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\schijfbewaker
      2008-01-11 23:51 . 2008-01-11 23:51 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
      2008-01-11 23:50 . 2008-01-12 01:03 <DIR> d-------- C:\Program Files\SchijfBewaker
      2008-01-11 23:50 . 2008-01-11 23:50 <DIR> d-------- C:\Program Files\Common Files\SchijfBewaker
      2008-01-11 23:50 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
      2008-01-11 23:38 . 2008-01-11 23:38 257,552 --a------ C:\Documents and Settings\MIMPIE_DENISE\Application Data\setup_nl[1].exe

      .
      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-01-31 18:34 --------- d-----w C:\Program Files\eMule
      2008-01-18 20:10 --------- d-----w C:\Program Files\McAfee
      2008-01-01 06:12 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\uTorrent
      2007-12-26 23:09 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\dvdcss
      2007-12-26 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
      2007-12-26 14:28 --------- d-----w C:\Program Files\Serif
      2007-12-26 14:26 --------- d-----w C:\Program Files\TLC Domus
      2007-12-23 19:44 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
      2007-12-18 16:06 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\ArcSoft
      2007-12-18 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\ArcSoft
      2007-12-18 13:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
      2007-12-18 13:30 --------- d-----w C:\Program Files\ArcSoft
      2007-12-18 11:58 --------- d-----w C:\Program Files\Luxor 3
      2007-12-18 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
      2007-12-18 02:01 --------- d-----w C:\Program Files\MSXML 4.0
      2007-12-17 01:43 155,995 ----a-w C:\WINDOWS\java\Packages\V9BFPZLZ.ZIP
      2007-12-16 21:20 --------- d-----w C:\Program Files\Common Files\Corel
      2007-12-16 21:20 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\Corel
      2007-12-16 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
      2007-12-16 21:19 --------- d-----w C:\Program Files\Corel
      2007-12-16 21:19 --------- d-----w C:\Program Files\Common Files\InstallShield
      2007-12-12 10:06 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\Vso
      2007-12-09 23:42 17,920 ----a-w C:\Documents and Settings\MIMPIE_DENISE\Application Data\GDIPFONTCACHEV1.DAT
      2007-12-09 22:19 --------- d-----w C:\Program Files\AviDvdBurner
      2007-12-09 22:15 --------- d-----w C:\Program Files\AC3Filter
      2007-12-09 22:14 --------- d-----w C:\Program Files\AviSynth 2.5
      2007-12-09 01:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
      2007-12-09 00:25 --------- d-----w C:\Program Files\Common Files\Adobe
      2007-12-08 22:29 --------- d-----w C:\Program Files\Ahead
      2007-12-08 22:23 --------- d-----w C:\Program Files\Common Files\Ahead
      2007-12-08 21:43 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\Ahead
      2007-12-08 18:08 --------- d-----w C:\Program Files\Canon
      2007-12-08 18:04 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
      2007-12-08 15:28 --------- d-----w C:\Program Files\support.com
      2007-12-08 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
      2007-12-06 19:23 --------- d-----w C:\Program Files\K-Lite Codec Pack
      2007-12-06 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
      2007-12-04 22:12 --------- d-----w C:\Program Files\Common Files\xing shared
      2007-12-04 22:12 --------- d-----w C:\Program Files\Common Files\Real
      2007-12-04 22:11 --------- d-----w C:\Program Files\Real
      2007-12-04 22:06 --------- d-----w C:\Program Files\URUSoft
      2007-12-04 21:50 --------- d-----w C:\Program Files\MSN Messenger
      2007-12-04 21:48 --------- d-----w C:\Program Files\uTorrent
      2007-12-04 21:41 --------- d-----w C:\Documents and Settings\MIMPIE_DENISE\Application Data\vlc
      2007-12-04 21:40 --------- d-----w C:\Program Files\VideoLAN
      2007-12-04 21:15 --------- d-----w C:\Program Files\Common Files\McAfee
      2007-12-04 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
      2007-12-04 21:02 --------- d-----w C:\Program Files\McAfee.com
      2007-12-04 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
      2007-12-04 20:52 --------- d-----w C:\Program Files\Avi2Dvd
      2007-12-03 22:05 47,360 ----a-w C:\Documents and Settings\MIMPIE_DENISE\Application Data\pcouffin.sys
      .

      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04793611-94CB-4370-AC9F-F8E129FFF0E0}]
      2007-12-17 19:00 314624 --a------ C:\WINDOWS\system32\geedd.dll

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
      2007-12-17 18:55 24336 --a------ C:\WINDOWS\system32\rqroomk.dll

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f34d177-82c0-4b5c-9498-b5fbcbab7824}]
      C:\WINDOWS\system32\mogxhdlo.dll

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
      "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
      "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SoundMan"="SOUNDMAN.EXE" [2004-07-27 17:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
      "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
      "atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
      "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
      "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
      "combofix"="C:\ComboFix\kmd.exe" [2004-08-04 01:03 399360]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:03 15360]

      C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
      Event Reminder.lnk - C:\Program Files\TLC Domus\PrintMaster\Pmremind.exe [2007-12-26 15:18:09 323584]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
      "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\rqroomk.dll [2007-12-17 18:55 24336]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqroomk]
      rqroomk.dll 2007-12-17 18:55 24336 C:\WINDOWS\system32\rqroomk.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
      Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geedd.dll

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
      path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
      backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]
      path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\WinZip Quick Pick.lnk
      backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
      --a------ 2007-12-06 20:14 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
      --a------ 2004-01-14 02:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
      --a------ 2007-12-04 23:11 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TQ566808]
      F:\Setup.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "ImapiService"=3 (0x3)

      R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
      R1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
      R3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-07-26 21:19]

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1894d09f-a1d7-11dc-af9c-806d6172696f}]
      \Shell\AutoRun\command - F:\Msetup4.exe

      .
      Inhoud van de 'Gedeelde Taken' map
      "2008-01-15 00:20:31 C:\WINDOWS\Tasks\McDefragTask.job"
      - C:\WINDOWS\system32\defrag.exe
      "2008-01-01 00:02:43 C:\WINDOWS\Tasks\McQcTask.job"
      - c:\program files\mcafee\mqc\QcConsol.exe.4158 0
      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-02-04 13:31:12
      Windows 5.1.2600 Service Pack 2 NTFS

      scannen van verborgen processen ...

      scannen van verborgen autostart items ...

      scannen van verborgen bestanden ...

      Scan succesvol afgerond
      verborgen bestanden: 0

      **************************************************************************
      .
      --------------------- DLLs Geladen Onder Lopende Processen ---------------------

      PROCESS: C:\WINDOWS\system32\winlogon.exe
      -> C:\WINDOWS\system32\rqroomk.dll

      PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
      -> C:\WINDOWS\system32\geedd.dll

      PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
      -> C:\WINDOWS\system32\geedd.dll
      -> C:\WINDOWS\system32\rqroomk.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      C:\WINDOWS\System32\Ati2evxx.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
      c:\program files\common files\mcafee\mna\mcnasvc.exe
      c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
      C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
      C:\Program Files\McAfee\MPF\MPFSrv.exe
      C:\WINDOWS\system32\TBLMOUSE.EXE
      C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
      .
      **************************************************************************
      .
      Voltooingstijd: 2008-02-04 13:34:21 - machine was rebooted
      ComboFix-quarantined-files.txt 2008-02-04 12:34:15
      .
      2008-01-10 01:29:15 --- E O F ---


      en hier mijn hijackt his logje


      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 13:41:18, on 4-2-2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\System32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
      c:\program files\common files\mcafee\mna\mcnasvc.exe
      c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
      C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
      C:\Program Files\McAfee\MPF\MPFSrv.exe
      C:\WINDOWS\SOUNDMAN.EXE
      C:\Program Files\McAfee.com\Agent\mcagent.exe
      C:\WINDOWS\system32\atwtusb.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\MSN Messenger\msnmsgr.exe
      C:\WINDOWS\system32\TBLMOUSE.EXE
      C:\Program Files\Messenger\msmsgs.exe
      C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\internet explorer\iexplore.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
      O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
      O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
      O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
      O4 - Global Startup: Event Reminder.lnk = C:\Program Files\TLC Domus\PrintMaster\Pmremind.exe
      O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
      O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
      O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
      O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196714576045
      O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
      O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
      O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
      O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
      O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
      O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
      O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
      O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
      O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

      --
      End of file - 5148 bytes

      Comment


      • #4
        Open een kladblokbestand.
        Kopieer de ondestaande code, en plak deze in het kladblokbestand.
        Sla het kladblokbestand op als CFScript.txt
        Code:
        File::
        C:\WINDOWS\system32\ddeeg.ini
        C:\WINDOWS\system32\geedd.dll
        C:\WINDOWS\system32\rqroomk.dll
        
        Registry::
        [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{04793611-94CB-4370-AC9F-F8E129FFF0E0}]
        [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
        "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
        [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqroomk]
        [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
        "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
        Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

        ComboFix zal opnieuw starten.
        Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
        Post de inhoud van de logfile.

        Comment

        Sorry, you are not authorized to view this page
        Working...
        X