Mededeling

**BendeBoy** · 28-02-08, 02:06

Hi Edwin,

Welkom op Nucia.nl

Download [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe]ComboFix en sla het op je bureaublad op.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download ComboFix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

Dubbelklik op Combofix.exe
Volg de instructies, aanvaard de disclaimer door 1 (continue) te typen, gevolgd door ENTER.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
Plaats deze log in je volgende post, samen met een vers HijackThis logje.

- Daniël

**EdEdsen** · 01-03-08, 13:05

Bedankt

Hee Daniël

Bedankt voor de hulp!
Ik heb gedaan wat je zei en hier onderstaan de beide logs eerst die van combofix en dan de hijackthis log.
Ik heb in de tussen tijd ook zelf wat geprobeert, misschien had ik dat niet moeten doen

Ik heb Malwarebytes' Anti-maleware gedraaid. Het leek daarna voorbij te zijn, maar kreeg later toch nog meldingen van norton security scan.
Na het draaien van Anti-maleware krijg ik ook steeds de volgende melding bij het opstarten: "er is een fout opgetreden tijdens het laden van c:\windows\system32\urgoauta.dll dak module niet vinden"

Groeten
Edwin

ComboFix 08-02-25.3 - RenskeH 2008-03-01 12:31:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.600 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\renskeh\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cdpiwxnd.dll
C:\WINDOWS\system32\charset.dll
C:\WINDOWS\system32\duntuiko.dll
C:\WINDOWS\SYSTEM32\ghhkj.ini
C:\WINDOWS\SYSTEM32\ghhkj.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\qrqss.ini
C:\WINDOWS\SYSTEM32\qrqss.ini2
C:\WINDOWS\SYSTEM32\sttss.ini
C:\WINDOWS\SYSTEM32\sttss.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-01 to 2008-03-01 ))))))))))))))))))))))))))))))
.

2008-02-29 19:38 . 2008-02-29 19:42 <DIR> d-------- C:\Quarantine
2008-02-27 22:13 . 2008-02-27 22:13 <DIR> d-------- C:\Program Files\Notepad++
2008-02-27 10:33 . 2008-02-27 10:33 <DIR> d-------- C:\Documents and Settings\renskeh\Application Data\Malwarebytes
2008-02-27 10:33 . 2008-02-27 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-26 21:42 . 2008-02-27 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 20:13 . 2008-02-26 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 13:26 . 2008-02-26 14:43 414 ---hs---- C:\WINDOWS\SYSTEM32\nwyglxqv.ini
2008-02-26 13:18 . 2008-02-28 13:18 147 --a------ C:\WINDOWS\BM9b89ddcf.xml
2008-02-26 13:18 . 2008-02-29 10:02 22 --a------ C:\WINDOWS\pskt.ini
2008-02-25 21:21 . 2008-02-25 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-25 21:20 . 2008-02-27 10:37 <DIR> d-------- C:\Documents and Settings\renskeh\Application Data\SUPERAntiSpyware.com
2008-02-20 17:08 . 2008-02-20 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-20 17:08 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-02-20 17:08 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-02-20 17:08 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2008-02-20 17:08 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2008-02-20 17:08 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-02-20 17:07 . 2008-02-20 17:07 <DIR> d-------- C:\Program Files\McAfee
2008-02-20 17:07 . 2008-02-20 17:07 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-19 07:58 . 2008-02-19 07:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-17 10:08 . 2004-06-10 05:00 105,984 --a------ C:\WINDOWS\SYSTEM32\CNMLM5m.DLL
2008-02-17 10:08 . 2004-06-09 10:33 86,016 --a------ C:\WINDOWS\SYSTEM32\CNMCP5m.exe
2008-02-17 10:08 . 2004-06-10 05:00 6,656 --a------ C:\WINDOWS\SYSTEM32\CNMVS5m.DLL
2008-02-15 13:06 . 2008-02-08 11:10 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2008-02-15 13:06 . 2008-02-08 11:10 280 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll.sig
2008-02-15 13:05 . 2008-02-08 11:11 3,797,753 --a------ C:\WINDOWS\FramePkg.exe
2008-02-03 22:12 . 2008-02-24 19:54 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 11:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 11:20 --------- d-----w C:\Documents and Settings\renskeh\Application Data\U3
2008-02-29 14:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-29 10:29 --------- d-----w C:\Program Files\FinePixViewer
2008-02-28 23:58 --------- d-----w C:\Documents and Settings\renskeh\Application Data\Azureus
2008-02-27 21:10 642 -c--a-w C:\Program Files\Software.txt
2008-02-27 20:52 --------- d-----w C:\Program Files\TOPXs
2008-02-27 20:48 --------- d-----w C:\Documents and Settings\renskeh\Application Data\TOPXs
2008-02-27 09:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-24 19:46 --------- d-----w C:\Documents and Settings\renskeh\Application Data\Downloaded Installations
2008-02-20 16:09 --------- d-----w C:\Program Files\Network Associates
2008-02-20 16:07 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-02-18 20:04 --------- d-----w C:\Program Files\Azureus
2008-01-28 23:10 --------- d-----w C:\Program Files\iTunes
2008-01-28 23:10 --------- d-----w C:\Program Files\iPod
2008-01-28 23:08 --------- d-----w C:\Program Files\QuickTime
2008-01-20 20:04 --------- d-----w C:\Program Files\usbdailer
2008-01-20 19:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 19:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-16 15:30 --------- d-----w C:\Program Files\Spark
2008-01-16 07:49 --------- d-----w C:\Program Files\Zarafa
2008-01-16 07:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-10 14:34 720,896 -c--a-w C:\WINDOWS\iun6002.exe
2006-10-13 08:20 21,864 -c--a-w C:\Documents and Settings\renskeh\Application Data\GDIPFONTCACHEV1.DAT
2006-03-23 20:11 121 -c--a-w C:\Program Files\18188770.PAS
2004-11-05 13:31 1,597,440 ----a-w C:\Documents and Settings\renskeh\Application Data\SecureTraveler.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29B9C8ED-EA17-4E88-B314-695B26CB3B97}]
C:\WINDOWS\system32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"NetMsg"="C:\Program Files\NetMsg\NetMsg.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 11:25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 11:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 09:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 09:02 126976]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26 606208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04 53248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2008-02-08 11:10 136512]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 12:00 144384]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 20:50 111952]
"AdVantage Setup"="C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe" [ ]
"98baee53"="C:\WINDOWS\system32\urgoauta.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

C:\Documents and Settings\renskeh\Menu Start\Programma's\Opstarten\
Snelkoppeling naar Network Starter.lnk - D:\Network Mirror\Laptop-tools\Networkstarter\Network Starter.exe [2007-04-24 09:55:42 329440]
WorkPace.lnk - C:\Program Files\WorkPace\WorkPace.exe [2005-11-22 09:42:20 825856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-23 14:11:21 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1774\Scripts\Logoff\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1774\Scripts\Logon\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1817\Scripts\Logon\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 IDS Server;IDS Server;C:\IDSServer\idss.exe [1999-11-01 08:13]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1

S3 ADM8511;PA090 USB ETHERNET 10/100 ;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2002-01-16 15:02]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 09:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Inhoud van de 'Gedeelde Taken' map
"2008-02-25 21:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-29 21:53:55 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-02-29 04:00:00 C:\WINDOWS\Tasks\toppak.job"
- C:\Program Files\TOPdesk\TOPdesk Professional IS\toppak.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 12:45:25
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\Program Files\WorkPace\wp32_240.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WorkPace\sv32_240.exe
.
**************************************************************************
.
Voltooingstijd: 2008-03-01 12:49:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 11:49:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52, on 2008-03-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\IDSServer\idss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WorkPace\WorkPace.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WorkPace\sv32_240.exe
D:\Temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://webmail.topdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://las:8089/lift/lift?modulenaam=urenmodule&kaarttype=uur
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29B9C8ED-EA17-4E88-B314-695B26CB3B97} - C:\WINDOWS\system32\sstts.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AdVantage Setup] C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe
O4 - HKLM\..\Run: [98baee53] rundll32.exe "C:\WINDOWS\system32\urgoauta.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMsg] C:\Program Files\NetMsg\NetMsg.exe -Systray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Snelkoppeling naar Network Starter.lnk = D:\Network Mirror\Laptop-tools\Networkstarter\Network Starter.exe
O4 - Startup: WorkPace.lnk = C:\Program Files\WorkPace\WorkPace.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://webmail.topdesk.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\Software\..\Telephony: DomainName = tis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 213.197.28.3,213.197.30.28
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 213.197.28.3,213.197.30.28
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDS Server - Unknown owner - C:\IDSServer\idss.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9397 bytes

**BendeBoy** · 03-03-08, 23:35

Hi,

Open een nieuw kladblok bestand.

Kopieer en plak daarin de onderstaande code.
Ga naar 'Bestand' -> 'Opslaan als..' en sla het vervolgens op je bureaublad op als CFScript.txt.

Code:

File::
C:\WINDOWS\SYSTEM32\nwyglxqv.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\sstts.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29B9C8ED-EA17-4E88-B314-695B26CB3B97}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"98baee53"=-

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.
Post na herstart de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw logje van HijackThis.

**EdEdsen** · 04-03-08, 19:02

gedaan

Bijdeze:

ComboFix 08-02-25.3 - RenskeH 2008-03-04 18:52:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.588 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\renskeh\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\renskeh\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\nwyglxqv.ini
C:\WINDOWS\system32\sstts.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\nwyglxqv.ini

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-02-04 to 2008-03-04 ))))))))))))))))))))))))))))))
.

2008-02-29 19:38 . 2008-03-01 15:00 <DIR> d-------- C:\Quarantine
2008-02-27 22:13 . 2008-02-27 22:13 <DIR> d-------- C:\Program Files\Notepad++
2008-02-27 10:33 . 2008-02-27 10:33 <DIR> d-------- C:\Documents and Settings\renskeh\Application Data\Malwarebytes
2008-02-27 10:33 . 2008-02-27 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-26 21:42 . 2008-02-27 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 20:13 . 2008-02-26 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 13:18 . 2008-02-28 13:18 147 --a------ C:\WINDOWS\BM9b89ddcf.xml
2008-02-25 21:21 . 2008-02-25 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-25 21:20 . 2008-02-27 10:37 <DIR> d-------- C:\Documents and Settings\renskeh\Application Data\SUPERAntiSpyware.com
2008-02-20 17:08 . 2008-02-20 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-20 17:08 . 2007-10-16 20:50 171,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-02-20 17:08 . 2007-10-16 20:50 72,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-02-20 17:08 . 2007-10-16 20:50 64,168 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys
2008-02-20 17:08 . 2007-10-16 20:50 51,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys
2008-02-20 17:08 . 2007-10-16 20:50 33,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-02-20 17:07 . 2008-02-20 17:07 <DIR> d-------- C:\Program Files\McAfee
2008-02-20 17:07 . 2008-02-20 17:07 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-02-19 07:58 . 2008-02-19 07:58 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-17 10:08 . 2004-06-10 05:00 105,984 --a------ C:\WINDOWS\SYSTEM32\CNMLM5m.DLL
2008-02-17 10:08 . 2004-06-09 10:33 86,016 --a------ C:\WINDOWS\SYSTEM32\CNMCP5m.exe
2008-02-17 10:08 . 2004-06-10 05:00 6,656 --a------ C:\WINDOWS\SYSTEM32\CNMVS5m.DLL
2008-02-15 13:06 . 2008-02-08 11:10 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll
2008-02-15 13:06 . 2008-02-08 11:10 280 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll.sig
2008-02-15 13:05 . 2008-02-08 11:11 3,797,753 --a------ C:\WINDOWS\FramePkg.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 11:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 14:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-29 10:29 --------- d-----w C:\Program Files\FinePixViewer
2008-02-27 21:10 642 -c--a-w C:\Program Files\Software.txt
2008-02-27 20:52 --------- d-----w C:\Program Files\TOPXs
2008-02-27 09:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-20 16:09 --------- d-----w C:\Program Files\Network Associates
2008-02-20 16:07 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-02-18 20:04 --------- d-----w C:\Program Files\Azureus
2008-01-28 23:10 --------- d-----w C:\Program Files\iTunes
2008-01-28 23:10 --------- d-----w C:\Program Files\iPod
2008-01-28 23:08 --------- d-----w C:\Program Files\QuickTime
2008-01-20 20:04 --------- d-----w C:\Program Files\usbdailer
2008-01-20 19:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 19:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-18 07:20 --------- d-----w C:\Documents and Settings\renskeh\Application Data\TOPXs
2008-01-16 15:30 --------- d-----w C:\Program Files\Spark
2008-01-16 07:49 --------- d-----w C:\Program Files\Zarafa
2008-01-16 07:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 12:16 159,839 ----a-w C:\WINDOWS\SYSTEM32\xvidvfw.dll
2008-01-10 12:15 755,027 ----a-w C:\WINDOWS\SYSTEM32\xvidcore.dll
2007-12-24 12:49 7,680 ----a-w C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-12-10 14:34 720,896 -c--a-w C:\WINDOWS\iun6002.exe
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\SYSTEM32\divx.dll
2006-10-13 08:20 21,864 -c--a-w C:\Documents and Settings\renskeh\Application Data\GDIPFONTCACHEV1.DAT
2006-03-23 20:11 121 -c--a-w C:\Program Files\18188770.PAS
2005-01-24 09:42 1,601,536 ----a-w C:\Documents and Settings\renskeh\Application Data\SecureTraveler.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29B9C8ED-EA17-4E88-B314-695B26CB3B97}]
C:\WINDOWS\system32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"NetMsg"="C:\Program Files\NetMsg\NetMsg.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39 1289000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 11:25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 11:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 09:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 09:02 126976]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26 606208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 08:04 53248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2008-02-08 11:10 136512]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 12:00 144384]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17 159744]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 20:50 111952]
"AdVantage Setup"="C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-23 14:11:21 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1774\Scripts\Logoff\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1774\Scripts\Logon\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-616813238-485989776-2992251252-1817\Scripts\Logon\0\0]
"Script"=\\tis.local\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 IDS Server;IDS Server;C:\IDSServer\idss.exe [1999-11-01 08:13]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1

S3 ADM8511;PA090 USB ETHERNET 10/100 ;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2002-01-16 15:02]
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 09:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a6e1548-e763-11dc-b484-0013ce19e757}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Inhoud van de 'Gedeelde Taken' map
"2008-02-25 21:30:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-29 21:53:55 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-03 04:00:00 C:\WINDOWS\Tasks\toppak.job"
- C:\Program Files\TOPdesk\TOPdesk Professional IS\toppak.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 18:57:27
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQLEXPRESS"
.
Voltooingstijd: 2008-03-04 18:58:49
ComboFix-quarantined-files.txt 2008-03-04 17:58:33
ComboFix2.txt 2008-03-01 11:49:42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59, on 2008-03-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\IDSServer\idss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WorkPace\WorkPace.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WorkPace\sv32_240.exe
C:\WINDOWS\explorer.exe
D:\Temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://webmail.topdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://las:8089/lift/lift?modulenaam=urenmodule&kaarttype=uur
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29B9C8ED-EA17-4E88-B314-695B26CB3B97} - C:\WINDOWS\system32\sstts.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AdVantage Setup] C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMsg] C:\Program Files\NetMsg\NetMsg.exe -Systray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Snelkoppeling naar Network Starter.lnk = Network Mirror\Laptop-tools\Networkstarter\Network Starter.exe
O4 - Startup: WorkPace.lnk = C:\Program Files\WorkPace\WorkPace.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://webmail.topdesk.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\Software\..\Telephony: DomainName = tis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDS Server - Unknown owner - C:\IDSServer\idss.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9217 bytes

**BendeBoy** · 05-03-08, 22:42

Hi,

Download [url=http://www.atribune.org/ccount/click.php?id=1]ATF cleaner (by Atribune)

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad 'Main', plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Gebruik je ook Firefox als browser:
Klik op tabblad 'Firefox', plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op 'No'.
(dit verwijdert het vinkje bij 'Firefox saved passwords')
Klik op de knop Empty Selected.

Gebruik je ook Opera als browser:
Klik op tabblad Opera', plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op 'No'.
Klik op de knop Empty Selected.
Ga naar het tabblad 'Main'en klik op de knop Exit om het programma af te sluiten.

Download [url=http://www.besttechie.net/tools/mbam-setup.exe]MalwareBytes' Anti-Malware en sla het op je bureaublad op.
Dubbelklik op mbam-setup.exe om het programma te installeren.

Zorg dat er na de installatie een vinkje is geplaatst bij:

Update MalwareBytes' Anti-Malware
Start MalwareBytes' Anti-Malware

Klik daarna op "Voltooien".
Indien een update gevonden wordt, zal die gedownload en geïnstalleerd worden.

Zodra het programma gestart is, ga dan naar het tabblad "Instellingen".
Vink hier aan: "Sluit Internet Explorer tijdens verwijdering van malware".
Ga daarna naar het tabblad "Scanner", kies hier voor "Snelle Scan".
Druk vervolgens op "Scannen" om de scan te starten.
Het scannen kan een tijdje duren, dus wees geduldig.
Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik op: "Verwijder geselecteerde".
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.

Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de "Logs" tab te klikken in het programma. Kopieer en plak de inhoud van het logje in je volgend antwoord, samen met een nieuw HijackThis log.

- Daniël

**EdEdsen** · 06-03-08, 08:03

Bijdeze

Malwarebytes' Anti-Malware 1.06
Database versie: 459

Scan type: Snelle Scan
Objecten gescand: 32324
Verstreken tijd: 14 minute(s), 3 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 1
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\IDSServer\idss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WorkPace\WorkPace.exe
C:\Program Files\WorkPace\sv32_240.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\azureus\Azureus.exe
D:\Temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://webmail.topdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://las:8089/lift/lift?modulenaam=urenmodule&kaarttype=uur
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29B9C8ED-EA17-4E88-B314-695B26CB3B97} - C:\WINDOWS\system32\sstts.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AdVantage Setup] C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMsg] C:\Program Files\NetMsg\NetMsg.exe -Systray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-21-616813238-485989776-2992251252-1134\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-616813238-485989776-2992251252-1285\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Snelkoppeling naar Network Starter.lnk = Network Mirror\Laptop-tools\Networkstarter\Network Starter.exe
O4 - Startup: WorkPace.lnk = C:\Program Files\WorkPace\WorkPace.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://webmail.topdesk.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\Software\..\Telephony: DomainName = tis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDS Server - Unknown owner - C:\IDSServer\idss.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9488 bytes

**EdEdsen** · 14-03-08, 11:01

lijkt o.k.

Hee Daniël

Trouwens, nog gefeliciteerd!!!

Het probleem lijkt opgelost (daarvoor alvast bedankt

). Ik heb geen last meer van die irritante popups. Kun je misschien nog 1 keer door mijn logfiles lopen om te checken of ik echt genezen ben?

Alvast bedankt
Edwin

**smeenk** · 16-03-08, 02:08

Hoi ik neem het even over

Je logjes zien er goed uit

Doe dit nog even:

Dit bestand mag je nog verwijderen:
C:\WINDOWS\BM9b89ddcf.xml

Maak daarna je prullenbak leeg.

Je Java software is verouderd.
Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:

Download Java Runtime Environment (JRE) 6u5 en bewaar het naar je Bureaublad.
Sluit alle programma's die eventueel open zijn - Zeker je web browser!
Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
Herhaal dit tot alle oudere versies verdwenen zijn.
Na het verwijderen van alle oudere versies, herstart je pc.
Dubbelklik vervolgens op jre-6u5-windows-i586-p-s.exe op je Bureaublad om de nieuwste versie van Java te installeren.

Ga naar Start - Uitvoeren en geef hier het volgende in:
Combofix /U
Druk daarna op OK.
Let op: Er moet een spatie tussen Combofix en /U zitten.

Dit zal Combofix deïnstalleren.

Post als laatste nog een nieuw logje van Hijackthis ter controle

**EdEdsen** · 20-03-08, 23:33

log

Hallo Smeenk,
Bedankt voor alle hulp!

Het duurde even, maar ik moest even goed controleren of de applicaties die ik heb ook draaien onder JRE 6. Ik heb inmiddels alle oude versies verwijderd en de laatste versie geinstalleerd.
Bij deze het logbestand:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27, on 2008-03-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\IDSServer\idss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Temp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://webmail.topdesk.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://las:8089/lift/lift?modulenaam=urenmodule&kaarttype=uur
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29B9C8ED-EA17-4E88-B314-695B26CB3B97} - C:\WINDOWS\system32\sstts.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AdVantage Setup] C:\Program Files\Webteh\BSplayer\AdVantageSetup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMsg] C:\Program Files\NetMsg\NetMsg.exe -Systray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Snelkoppeling naar Network Starter.lnk = D:\Network Mirror\Laptop-tools\Networkstarter\Network Starter.exe
O4 - Startup: WorkPace.lnk = C:\Program Files\WorkPace\WorkPace.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://webmail.topdesk.com/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\Software\..\Telephony: DomainName = tis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tis.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{004E8920-F202-44E3-B7C5-6EA881006D14}: NameServer = 192.168.0.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDS Server - Unknown owner - C:\IDSServer\idss.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9332 bytes

**smeenk** · 20-03-08, 23:55

Deze regel mag je nog weghalen met Hijackthis:
O2 - BHO: (no name) - {29B9C8ED-EA17-4E88-B314-695B26CB3B97} - C:\WINDOWS\system32\sstts.dll (file missing)

Voor de rest ziet het er goed uit

**EdEdsen** · 23-03-08, 18:00

Bedankt! Alles lijkt nu weer goed te werken!

**smeenk** · 23-03-08, 18:04

Graag gedaan hoor

Als ik me niet vergis mag dit bestand ook nog weg:
C:\WINDOWS\BM9b89ddcf.txt

Deze is niet zichtbaar in een Combofix log, maar is volgens mij wel aanwezig.

Mededeling

last van popups

last van popups

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment