Mededeling

Collapse
No announcement yet.

Gerotzooi op mn werk-laptop

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Gerotzooi op mn werk-laptop

    Goedemiddag!!

    Gisteren heb ik per ongeluk (terwijl ik druk aan het werk was) op zo'n stomme link via msn geklikt. U raadt het al: geinfecteerd. Ik heb daartoe alle stappen ondernomen die jullie voorschrijven: Adaware, Spybot, AVG en ATF. Hielp niet. Ik heb daarop onze geoutsourcte helpdesk moeten bellen (bedrijfslaptop) en die zijn vanaf vanochtend 8:15 bezig geweest via VPN. Bij Navisite Support zijn ze blijkbaar niet zo kundig, want ze kunnen er niets aan doen en bestellen dan gewoon een nieuwe harddisk. Dit vind ik onzin aangezien jullie altijd alles vinden.

    Enfin, ik heb de sessie afgebroken en roep nu de hulp in van jullie. Hieronder het HiJack logje. Kunnen jullie wel iets vinden?

    =========================================

    Logfile of HijackThis v1.99.1
    Scan saved at 13:03:31, on 28-2-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NetProject\scit.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\NetProject\scm.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
    C:\WINDOWS\system32\msiexec.exe
    D:\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://workspace.celerant.cc/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: WindowsUpdate Class - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - C:\DOCUME~1\dkelde\LOCALS~1\Temp\ieobj.dll
    O3 - Toolbar: ekvgsnw - {474928DE-BC0F-4637-ADC1-C6DD2D1161D7} - C:\WINDOWS\ekvgsnw.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [GenMCLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireoneemea.webex.com/client/T23L/webex/ieatgpc.cab
    O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - https://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
    O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.5.1.191.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: alofkmn - {C0A757A8-AAE6-4322-9ED4-64F6ADD513B7} - C:\WINDOWS\alofkmn.dll
    O21 - SSODL: bxlrvps - {845D7CCE-32AA-405A-9D2B-C8E89C46F02F} - C:\WINDOWS\bxlrvps.dll
    O21 - SSODL: AlrtDrive - {b6ca9107-721e-4221-aa42-358672f86a4e} - C:\WINDOWS\Installer\{b6ca9107-721e-4221-aa42-358672f86a4e}\AlrtDrive.dll
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
    O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe

  • #2
    Download: RVAXO.exe
    • Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    • Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
      Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    • Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    • Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
      Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
    • Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
    • Post de inhoud van de logfile in je volgende bericht.
    Download Deckard's System Scanner naar je Bureaublad.
    • Sluit alle toepassingen en vensters.
    • Dubbelklik op dss.exe om het te activeren, en volg de aanwijzingen.
    • Wanneer de scan volledig is, zal een tekstbestand - main.txt - openen.
    • Kopiëer (Ctrl+A gevolgd door Ctrl+C) en plak (Ctrl+V) de inhoud van main.txt in je volgende antwoord.

    Opmerking: Sommige firewalls kunnen waarschuwen dat sigcheck.exe probeert verbinding te maken met het internet
    - zorg dat sigcheck.exe toestemming krijgt om dit te doen !
    Tevens kan het gebeuren dat je Antivirus DSS als verdacht aangeeft, of zelfs probeert te verwijderen.
    Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de scan van DSS je Antivirus even uit te schakelen)

    Comment


    • #3
      Hi Smeenk!!!

      Het duurde even voordat ik je suggesties kon uitvoeren. Dit door blauwe schermen en god weet wat nog meer. Die heb ik er nu uit, en heb je beide progjes kunnen laten draaien. Ik hoop dat je iets kunt vinden. Alvast bedankt!!!!!!!!

      Groetjes,

      Bofelfje

      De logs zijn als volgt:

      RVAXO-results:

      ---RVAXO.exe Updated: 2008-03-02---first run---
      Uninstallers:

      Files found:
      C:\WINDOWS\system32\heuvth.dll
      C:\WINDOWS\system32\msvcrtd.exe
      C:\WINDOWS\alofkmn.dll
      C:\WINDOWS\fkxvkns.exe
      C:\WINDOWS\mrofinu1423.exe
      C:\WINDOWS\mrofinu1423.exe.tmp
      C:\WINDOWS\Prefetch\MROFINU1423.EXE-10CB8758.pf
      C:\WINDOWS\system\hipsrv.mm
      C:\WINDOWS\system\userinfo32.ggt
      C:\tmp.bat
      C:\Documents and Settings\dkelde\FAVORI~1\Error Cleaner.url
      C:\Documents and Settings\dkelde\FAVORI~1\Privacy Protector.url
      C:\Documents and Settings\dkelde\FAVORI~1\Spyware&Malware Protection.url

      Folders Found:
      C:\Program Files\Sotfone

      Hosts-file was reset, If you use a custom hosts file please replace it...

      --------------RVAXO.exe last run---------------
      Not deleted items:
      C:\WINDOWS\alofkmn.dll
      C:\WINDOWS\fkxvkns.exe
      C:\WINDOWS\system32\msvcrtd.exe
      C:\tmp.bat
      C:\Program Files\Sotfone

      --------------RVAXO.exe finished----------------

      Deckards results:

      Deckard's System Scanner v20071014.68
      Run by dkelde on 2008-03-10 16:29:02
      Computer is in Normal Mode.
      --------------------------------------------------------------------------------

      -- System Restore --------------------------------------------------------------

      Successfully created a Deckard's System Scanner Restore Point.


      -- Last 5 Restore Point(s) --
      49: 2008-03-10 15:29:38 UTC - RP112 - Deckard's System Scanner Restore Point
      48: 2008-03-10 07:29:17 UTC - RP111 - System Checkpoint
      47: 2008-02-29 11:45:34 UTC - RP110 - System Checkpoint
      46: 2008-02-28 09:30:32 UTC - RP109 - Verwijderd: Windows Live Messenger
      45: 2008-02-28 09:25:52 UTC - RP108 - Removed Ad-Aware 2007


      -- First Restore Point --
      1: 2007-12-03 11:50:09 UTC - RP64 - System Checkpoint


      Backed up registry hives.
      Performed disk cleanup.

      Total Physical Memory: 503 MiB (512 MiB recommended).


      -- HijackThis (run as dkelde.exe) ----------------------------------------------

      Unable to find log (file not found); running clone.
      -- HijackThis Clone ------------------------------------------------------------


      Emulating logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 2008-03-10 16:30:45
      Platform: Windows XP Service Pack 2 (5.01.2600)
      MSIE: Internet Explorer (7.00.6000.16608)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\system32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\WINDOWS\system32\igfxpers.exe
      C:\WINDOWS\system32\igfxsrvc.exe
      C:\Program Files\Dell\QuickSet\quickset.exe
      C:\Program Files\Apoint\Apoint.exe
      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
      C:\WINDOWS\system32\DLA\DLACTRLW.EXE
      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
      C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Program Files\Apoint\hidfind.exe
      C:\Program Files\Apoint\ApntEx.exe
      C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
      C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
      C:\Documents and Settings\dkelde\Desktop\dss.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://workspace.celerant.cc/
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
      O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O3 - Toolbar: ekvgsnw - {474928DE-BC0F-4637-ADC1-C6DD2D1161D7} - C:\WINDOWS\ekvgsnw.dll (file missing)
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
      O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
      O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
      O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
      O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
      O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
      O4 - HKCU\..\Run: [GenMCLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
      O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O15 - ProtocolDefaults: Unknown 'myui' protocol is in Trusted Zone (HKLM)
      O15 - ProtocolDefaults: Unknown 'myrm' protocol is in Trusted Zone (HKLM)
      O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
      O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireoneemea.webex.com/client/T23L/webex/ieatgpc.cab
      O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} () - https://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
      O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
      O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
      O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
      O18 - Protocol: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.5.1.191.dll
      O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
      O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
      O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe


      --
      End of file - 7543 bytes

      -- File Associations -----------------------------------------------------------

      All associations okay.


      -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

      R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
      R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
      R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
      R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft(R) Windows NT(R) Operating System>

      S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
      S1 hipsrv - c:\windows\system\hipsrv.mm (file missing)
      S1 Tosrfcom - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
      S1 userinfo32 - c:\windows\system\userinfo32.ggt (file missing)
      S3 {FF9BACB3-2B8E-45ba-9E68-B6720E5D81A3} - c:\windows\system32\{ff9bacb3-2b8e-45ba-9e68-b6720e5d81a3} (file missing)


      -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

      All services whitelisted.


      -- Device Manager: Disabled ----------------------------------------------------

      No disabled devices found.


      -- Files created between 2008-02-10 and 2008-03-10 -----------------------------

      2008-03-10 16:19:44 0 d-------- C:\RVAXO
      2008-03-10 09:15:02 719362 --a------ C:\WINDOWS\system32\RVAXO.bat
      2008-03-10 09:15:02 16384 --a------ C:\WINDOWS\system32\Restart.exe <Not Verified; WareSoft Software; restart>
      2008-03-10 09:15:02 69632 --a------ C:\WINDOWS\system32\remove.exe
      2008-02-29 15:38:50 44878 --a------ C:\WINDOWS\system32\msvcrtd.exe
      2008-02-29 15:38:34 3584 --a------ C:\nnpnvxjy.exe
      2008-02-29 15:38:03 44878 --a------ C:\alfxfa.exe
      2008-02-29 15:37:53 6144 --a------ C:\qklxwxtc.exe
      2008-02-29 15:37:53 300400 --a------ C:\kl.exe
      2008-02-29 15:37:46 7168 --a------ C:\Documents and Settings\dkelde\lgehpq.exe
      2008-02-28 13:09:34 132608 --a------ C:\WINDOWS\system32\drivers\Rbjk35.sys
      2008-02-28 13:09:01 7168 --a------ C:\Documents and Settings\dkelde\bykqgs.exe
      2008-02-28 12:44:50 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
      2008-02-28 12:27:30 2 --a------ C:\1424262446
      2008-02-28 12:27:28 132608 --a------ C:\WINDOWS\system32\drivers\Oxyc67.sys
      2008-02-28 12:27:17 7168 --a------ C:\Documents and Settings\dkelde\kxclka.exe
      2008-02-28 12:24:58 630784 --a------ C:\Documents and Settings\dkelde\GoToAssist_chat2way__317_en.exe <Not Verified; Citrix Online; GoToAssist>
      2008-02-28 11:10:09 0 d-------- C:\WINDOWS\pss
      2008-02-28 10:37:24 132608 --a------ C:\WINDOWS\system32\drivers\Qhgp44.sys
      2008-02-28 10:37:07 7168 --a------ C:\Documents and Settings\dkelde\rkmbna.exe
      2008-02-28 10:31:59 0 d-------- C:\Program Files\Sotfone
      2008-02-28 10:31:53 102400 --a------ C:\WINDOWS\fkxvkns.exe
      2008-02-28 10:31:53 245760 --a------ C:\WINDOWS\alofkmn.dll <Not Verified; ; alofkmn>
      2008-02-28 10:31:01 47 --a------ C:\tmp.bat
      2008-02-28 10:28:52 7168 --a------ C:\Documents and Settings\dkelde\ilyvsp.exe
      2008-02-28 10:27:53 58368 --a------ C:\famwssg.exe
      2008-02-28 10:27:43 7168 --a------ C:\WINDOWS\system32\zmnavw.exe
      2008-02-28 10:24:39 0 d-------- C:\Program Files\Microsoft Silverlight
      2008-02-28 08:25:54 7168 --a------ C:\Documents and Settings\dkelde\ukceei.exe
      2008-02-27 19:29:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
      2008-02-27 19:17:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
      2008-02-27 19:16:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
      2008-02-27 14:17:29 0 d-------- C:\Documents and Settings\dkelde\.housecall6.6


      -- Find3M Report ---------------------------------------------------------------

      2008-02-28 12:28:20 34 --a------ C:\Documents and Settings\dkelde\Application Data\config.cfg
      2008-02-28 10:30:42 0 d-------- C:\Program Files\Windows Live
      2008-02-28 10:26:05 0 d-------- C:\Program Files\Common Files
      2008-02-21 07:49:40 0 d-------- C:\Documents and Settings\dkelde\Application Data\Adobe
      2008-01-17 10:07:14 0 d-------- C:\Documents and Settings\dkelde\Application Data\Sonic
      2008-01-17 10:06:27 0 d-------- C:\Documents and Settings\dkelde\Application Data\Leadertech
      2008-01-15 13:00:29 0 d-------- C:\Documents and Settings\dkelde\Application Data\CyberLink
      2008-01-15 11:11:40 0 d-------- C:\Documents and Settings\dkelde\Application Data\Ceedo


      -- Registry Dump ---------------------------------------------------------------

      *Note* empty entries & legit default entries are not shown


      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [14-01-2007 01:47]
      "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [14-01-2007 01:47]
      "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [14-01-2007 01:46]
      "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03-08-2006 19:51]
      "Apoint"="C:\Program Files\Apoint\Apoint.exe" [07-10-2005 23:13]
      "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26-04-2004 09:04]
      "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [08-09-2005 06:20]
      "ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [27-07-2004 17:50]
      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
      "MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [06-03-2007 17:25]
      "McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [18-05-2007 04:03]
      "ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [27-07-2004 17:50]

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 11:00]
      "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe"
      "GenMCLauncher"="C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
      "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13-10-2004 17:24]

      [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
      "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
      Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23-9-2005 23:05:26]
      Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [16-6-2005 12:11:42]

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
      "NoDispScrSavPage"=0 (0x0)

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
      "NoSetActiveDesktop"=1 (0x1)

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
      "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
      @="Driver Group"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
      C:\Program Files\antiviirus.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
      rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flash Media]
      C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
      c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
      stsystra.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
      c:\grax.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "WMPNetworkSvc"=3 (0x3)
      "WLSetupSvc"=3 (0x3)
      "ose"=3 (0x3)
      "MDM"=2 (0x2)
      "McShield"=2 (0x2)
      "idsvc"=3 (0x3)
      "IDriverT"=3 (0x3)

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      bthsvcs BthServ


      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{028caca2-c33c-11dc-bc3c-00188bc4d4d2}]
      AutoRun\command- G:\Autorun.exe /run
      Shell00\Command- G:\Autorun.exe /run
      Shell01\Command- G:\Autorun.exe /action
      Shell02\Command- G:\Autorun.exe /uninstall




      -- End of Deckard's System Scanner: finished at 2008-03-10 16:31:41 ------------

      Comment


      • #4
        Je hebt/had nogal wat rootkits, die veroorzaakten de blauwe schermen

        Open een kladblokbestand.
        Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

        @ECHO OFF
        IF EXIST log.txt DEL log.txt
        rd /s /q "C:\Program Files\Sotfone"
        sc delete hipsrv
        sc delete userinfo32
        sc delete {FF9BACB3-2B8E-45ba-9E68-B6720E5D81A3}
        ECHO Deleting files>>log.txt
        FOR %%g in (
        C:\WINDOWS\system32\msvcrtd.exe
        C:\nnpnvxjy.exe
        C:\alfxfa.exe
        C:\qklxwxtc.exe
        C:\kl.exe
        "C:\Documents and Settings\dkelde\lgehpq.exe"
        C:\WINDOWS\system32\drivers\Rbjk35.sys
        "C:\Documents and Settings\dkelde\bykqgs.exe"
        C:\1424262446
        C:\WINDOWS\system32\drivers\Oxyc67.sys
        "C:\Documents and Settings\dkelde\kxclka.exe"
        "C:\Documents and Settings\dkelde\GoToAssist_chat2way__317_en.exe"
        C:\WINDOWS\system32\drivers\Qhgp44.sys
        "C:\Documents and Settings\dkelde\rkmbna.exe"
        "C:\Program Files\Sotfone"
        C:\WINDOWS\fkxvkns.exe
        C:\WINDOWS\alofkmn.dll
        C:\tmp.bat
        "C:\Documents and Settings\dkelde\ilyvsp.exe"
        C:\famwssg.exe
        C:\WINDOWS\system32\zmnavw.exe
        "C:\Documents and Settings\dkelde\ukceei.exe") DO (
        IF EXIST %%g (
        ATTRIB -r -s -h %%g
        DEL %%g
        IF EXIST %%g (
        ECHO %%g not deleted>>log.txt
        ) ELSE (
        ECHO %%g deleted>>log.txt)
        ) ELSE (
        ECHO %%g not found>>log.txt))
        START NOTEPAD.EXE log.txt

        Ga naar Bestand - Opslaan als.
        Bij "Opslaan in" kies je: Bureaublad
        Bij "Bestandsnaam" zet je: del.bat
        Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
        Klik op de knop Opslaan.

        Dubbelklik op del.bat en post de inhoud van de logfile die opent.

        Comment


        • #5
          Jeutje... Geen flauw idee wat dat soort dingen zijn, bootkitkatten oid, maar lastig was het wel.

          Het del.batlogje:

          Deleting files
          C:\WINDOWS\system32\msvcrtd.exe deleted
          C:\nnpnvxjy.exe deleted
          C:\alfxfa.exe deleted
          C:\qklxwxtc.exe deleted
          C:\kl.exe deleted
          "C:\Documents and Settings\dkelde\lgehpq.exe" deleted
          C:\WINDOWS\system32\drivers\Rbjk35.sys deleted
          "C:\Documents and Settings\dkelde\bykqgs.exe" deleted
          C:\1424262446 deleted
          C:\WINDOWS\system32\drivers\Oxyc67.sys deleted
          "C:\Documents and Settings\dkelde\kxclka.exe" deleted
          "C:\Documents and Settings\dkelde\GoToAssist_chat2way__317_en.exe" deleted
          C:\WINDOWS\system32\drivers\Qhgp44.sys deleted
          "C:\Documents and Settings\dkelde\rkmbna.exe" deleted
          "C:\Program Files\Sotfone" not found
          C:\WINDOWS\fkxvkns.exe deleted
          C:\WINDOWS\alofkmn.dll deleted
          C:\tmp.bat deleted
          "C:\Documents and Settings\dkelde\ilyvsp.exe" deleted
          C:\famwssg.exe deleted
          C:\WINDOWS\system32\zmnavw.exe deleted
          "C:\Documents and Settings\dkelde\ukceei.exe" deleted

          Comment


          • #6
            Post maar een nieuw logje van Deckard's System Scanner

            Comment


            • #7
              En Deckard's System Scanner v20071014.68
              Run by dkelde on 2008-03-10 17:25:51
              Computer is in Normal Mode.
              --------------------------------------------------------------------------------

              Total Physical Memory: 503 MiB (512 MiB recommended).


              -- HijackThis (run as dkelde.exe) ----------------------------------------------

              Unable to find log (file not found); running clone.
              -- HijackThis Clone ------------------------------------------------------------


              Emulating logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 2008-03-10 17:26:56
              Platform: Windows XP Service Pack 2 (5.01.2600)
              MSIE: Internet Explorer (7.00.6000.16608)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\system32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\explorer.exe
              C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
              C:\WINDOWS\system32\hkcmd.exe
              C:\WINDOWS\system32\igfxpers.exe
              C:\WINDOWS\system32\igfxsrvc.exe
              C:\Program Files\Dell\QuickSet\quickset.exe
              C:\Program Files\Apoint\Apoint.exe
              C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
              C:\WINDOWS\system32\DLA\DLACTRLW.EXE
              C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
              C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\Messenger\msmsgs.exe
              C:\Program Files\Apoint\hidfind.exe
              C:\Program Files\Apoint\ApntEx.exe
              C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
              C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
              C:\WINDOWS\system32\notepad.exe
              C:\Documents and Settings\dkelde\Desktop\dss.exe
              D:\My Documents\dkelde.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://workspace.celerant.cc/
              R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
              O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
              O3 - Toolbar: ekvgsnw - {474928DE-BC0F-4637-ADC1-C6DD2D1161D7} - C:\WINDOWS\ekvgsnw.dll (file missing)
              O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
              O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
              O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
              O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
              O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
              O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
              O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
              O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
              O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
              O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
              O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
              O4 - HKCU\..\Run: [GenMCLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
              O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
              O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
              O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
              O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
              O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
              O4 - Global Startup: Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O15 - ProtocolDefaults: Unknown 'myui' protocol is in Trusted Zone (HKLM)
              O15 - ProtocolDefaults: Unknown 'myrm' protocol is in Trusted Zone (HKLM)
              O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
              O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
              O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
              O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireoneemea.webex.com/client/T23L/webex/ieatgpc.cab
              O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} () - https://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
              O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
              O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
              O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
              O18 - Protocol: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.5.1.191.dll
              O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
              O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
              O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
              O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe


              --
              End of file - 7571 bytes

              -- Files created between 2008-02-10 and 2008-03-10 -----------------------------

              2008-03-10 16:19:44 0 d-------- C:\RVAXO
              2008-03-10 09:15:02 719362 --a------ C:\WINDOWS\system32\RVAXO.bat
              2008-03-10 09:15:02 16384 --a------ C:\WINDOWS\system32\Restart.exe <Not Verified; WareSoft Software; restart>
              2008-03-10 09:15:02 69632 --a------ C:\WINDOWS\system32\remove.exe
              2008-02-28 12:44:50 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
              2008-02-28 11:10:09 0 d-------- C:\WINDOWS\pss
              2008-02-28 10:24:39 0 d-------- C:\Program Files\Microsoft Silverlight
              2008-02-27 19:29:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
              2008-02-27 19:17:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
              2008-02-27 19:16:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
              2008-02-27 14:17:29 0 d-------- C:\Documents and Settings\dkelde\.housecall6.6


              -- Find3M Report ---------------------------------------------------------------

              2008-02-28 12:28:20 34 --a------ C:\Documents and Settings\dkelde\Application Data\config.cfg
              2008-02-28 10:30:42 0 d-------- C:\Program Files\Windows Live
              2008-02-28 10:26:05 0 d-------- C:\Program Files\Common Files
              2008-02-21 07:49:40 0 d-------- C:\Documents and Settings\dkelde\Application Data\Adobe
              2008-01-17 10:07:14 0 d-------- C:\Documents and Settings\dkelde\Application Data\Sonic
              2008-01-17 10:06:27 0 d-------- C:\Documents and Settings\dkelde\Application Data\Leadertech
              2008-01-15 13:00:29 0 d-------- C:\Documents and Settings\dkelde\Application Data\CyberLink
              2008-01-15 11:11:40 0 d-------- C:\Documents and Settings\dkelde\Application Data\Ceedo


              -- Registry Dump ---------------------------------------------------------------

              *Note* empty entries & legit default entries are not shown


              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [14-01-2007 01:47]
              "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [14-01-2007 01:47]
              "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [14-01-2007 01:46]
              "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03-08-2006 19:51]
              "Apoint"="C:\Program Files\Apoint\Apoint.exe" [07-10-2005 23:13]
              "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26-04-2004 09:04]
              "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [08-09-2005 06:20]
              "ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [27-07-2004 17:50]
              "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
              "MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [06-03-2007 17:25]
              "McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" [18-05-2007 04:03]
              "ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [27-07-2004 17:50]

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 11:00]
              "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe"
              "GenMCLauncher"="C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
              "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13-10-2004 17:24]

              [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
              "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

              C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
              Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23-9-2005 23:05:26]
              Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [16-6-2005 12:11:42]

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
              "NoDispScrSavPage"=0 (0x0)

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
              "NoSetActiveDesktop"=1 (0x1)

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
              "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe"

              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
              @="Driver Group"

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
              C:\Program Files\antiviirus.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
              rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flash Media]
              C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
              c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
              stsystra.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
              c:\grax.exe

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
              "WMPNetworkSvc"=3 (0x3)
              "WLSetupSvc"=3 (0x3)
              "ose"=3 (0x3)
              "MDM"=2 (0x2)
              "McShield"=2 (0x2)
              "idsvc"=3 (0x3)
              "IDriverT"=3 (0x3)

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
              bthsvcs BthServ


              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{028caca2-c33c-11dc-bc3c-00188bc4d4d2}]
              AutoRun\command- G:\Autorun.exe /run
              Shell00\Command- G:\Autorun.exe /run
              Shell01\Command- G:\Autorun.exe /action
              Shell02\Command- G:\Autorun.exe /uninstall




              -- End of Deckard's System Scanner: finished at 2008-03-10 17:27:18 ------------

              daar komt ie:

              Comment


              • #8
                1) Open een kladblokbestand.
                2) Kopieer onderstaande code in dit kladblokbestand.
                3) Ga naar Bestand - Opslaan als.
                -Bij "Opslaan in" kies je: Bureaublad
                -Bij "Bestandsnaam" zet je: fix.reg
                -Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
                -Klik op de knop Opslaan.
                Code:
                REGEDIT4
                
                [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
                [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flash Media]
                [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
                [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
                "Userinit"=""
                4) Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.


                Start HijackThis nog een keer en plaats alleen een vinkje voor de volgende regels:
                O3 - Toolbar: ekvgsnw - {474928DE-BC0F-4637-ADC1-C6DD2D1161D7} - C:\WINDOWS\ekvgsnw.dll (file missing)
                O15 - ProtocolDefaults: Unknown 'myui' protocol is in Trusted Zone (HKLM)
                O15 - ProtocolDefaults: Unknown 'myrm' protocol is in Trusted Zone (HKLM)

                Sluit alle open vensters(behalve HijackThis), klik daarna op "Fix checked" en sluit HijackThis af.

                Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
                Dit zal alles van RVAXO doen verwijderen.

                Je Java software is verouderd.
                Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
                Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:
                • Download Java Runtime Environment (JRE) 6u5 en bewaar het naar je Bureaublad.
                • Sluit alle programma's die eventueel open zijn - Zeker je web browser!
                • Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
                • Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
                • Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
                • Herhaal dit tot alle oudere versies verdwenen zijn.
                • Na het verwijderen van alle oudere versies, herstart je pc.
                • Dubbelklik vervolgens op jre-6u5-windows-i586-p-s.exe op je Bureaublad om de nieuwste versie van Java te installeren.


                Download ATF cleaner (mirror)(gemaakt door Atribune)

                Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

                Dubbelklik op ATF cleaner om het programma te starten.
                Op het tabblad "Main", plaats je een vinkje bij Select All.
                Klik op de knop Empty Selected.

                Het volgende doen als je ook FireFox als browser hebt:
                Klik op tabblad "Firefox", plaats een vinkje bij Select All.
                Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                (dit haalt het vinkje weer weg bij "Firefox saved passwords")
                Klik op de knop Empty Selected.

                Het volgende doen als je ook Opera als browser hebt:
                Klik op tabblad "Opera", plaats een vinkje bij Select All.
                Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                Klik op de knop Empty Selected.
                Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

                Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                Kijk hier hoe je je systeemherstel moet uitschakelen.
                Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

                Post als laatste nog een nieuw logje van Hijackthis ter controle

                Comment


                • #9
                  Sjonge, hele operatie maar heb gedaan wat je zei. Hieronder het logje. Ik heb nog wel steeds wat probleempjes:

                  McAfee is uitgezet, maar ik kan het prog niet openen om het aan te zetten

                  Ook blijf ik het gevreesde blauwe scherm houden, na uitschakelen van systeemherstel en herstarten, met de foutmelding:

                  DRIVER_IRQL_NOT_LESS_OR_EQUAL
                  0x000000D1 (0x000000000, 0x00000002, 0x00000000, 0xF7194B2A)
                  psched.sys

                  (ik heb dit op internet nagezocht en de meeste aanwijzingen zeiden driver van bepaalde muis. Echter, heb vandaag de muis dus niet gebruikt en alles in safe mode gedaan (behalve deckard want die draait niet in safe mode))

                  Zojuist na draaien van ondergepost logje alweer het blauwe scherm. Geen muis.

                  Voordat ik het probleem van het virus en het logje postte, is er een it kenner van Numico uit coulance mee bezig geweest (goede relatie uit de rookkamer ) en die heeft een aantal startups gewijzigd via msconfig. Ik heb alleen geen flauw idee welke.

                  Wat we wel kunnen concluderen is dat het virus weg is.

                  10.000 x dank,

                  Danielle

                  Logfile of HijackThis v1.99.1
                  Scan saved at 16:49:09, on 11-3-2008
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v7.00 (7.00.6000.16608)

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\system32\hkcmd.exe
                  C:\WINDOWS\system32\igfxpers.exe
                  C:\Program Files\Dell\QuickSet\quickset.exe
                  C:\WINDOWS\system32\igfxsrvc.exe
                  C:\Program Files\Apoint\Apoint.exe
                  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
                  C:\WINDOWS\System32\DLA\DLACTRLW.EXE
                  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
                  C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
                  C:\WINDOWS\mrofinu1423.exe
                  C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
                  C:\WINDOWS\system32\ctfmon.exe
                  C:\Program Files\Messenger\msmsgs.exe
                  C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
                  C:\Program Files\Apoint\Apntex.exe
                  C:\Program Files\Apoint\HidFind.exe
                  C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
                  C:\WINDOWS\system32\wuauclt.exe
                  D:\My Documents\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://workspace.celerant.cc/
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
                  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
                  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
                  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                  O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
                  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
                  O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
                  O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
                  O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
                  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
                  O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
                  O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
                  O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
                  O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
                  O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
                  O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
                  O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1423.exe 61A847B5BBF7281336993B466188719AB689201522886B092CBD44BD8689220221DD3257
                  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
                  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
                  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
                  O4 - HKCU\..\Run: [GenMCLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                  O4 - Global Startup: Bluetooth Manager.lnk = ?
                  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O11 - Options group: [INTERNATIONAL] International*
                  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
                  O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireoneemea.webex.com/client/T23L/webex/ieatgpc.cab
                  O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - https://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
                  O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.5.1.191.dll
                  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
                  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                  O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
                  O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe

                  Comment


                  • #10
                    Verwijder deze regels nog met Hijackthis:
                    O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
                    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1423.exe 61A847B5BBF7281336993B466188719AB689201522886B092CBD44BD8689220221DD3257
                    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


                    Post na herstart van de computer een nieuw logje van Hijackthis

                    Comment


                    • #11
                      Die laatste 04 had ie niet gevonden, dit was ook het geval met de 1e x hjt na regfixen. Toen vond ie de beide 015 sleutels niet.

                      Ook kreeg ik bij herstart weer een blauw scherm, ditmaal foutmelding BAD_POOL_HEADER.

                      Enfin, opnieuw opgestart en dit is het logje:

                      Logfile of HijackThis v1.99.1
                      Scan saved at 17:34:44, on 11-3-2008
                      Platform: Windows XP SP2 (WinNT 5.01.2600)
                      MSIE: Internet Explorer v7.00 (7.00.6000.16608)

                      Running processes:
                      C:\WINDOWS\System32\smss.exe
                      C:\WINDOWS\system32\winlogon.exe
                      C:\WINDOWS\system32\services.exe
                      C:\WINDOWS\system32\lsass.exe
                      C:\WINDOWS\system32\svchost.exe
                      C:\WINDOWS\System32\svchost.exe
                      C:\WINDOWS\system32\spoolsv.exe
                      C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
                      C:\WINDOWS\system32\wuauclt.exe
                      C:\WINDOWS\Explorer.EXE
                      C:\WINDOWS\system32\hkcmd.exe
                      C:\WINDOWS\system32\igfxpers.exe
                      C:\Program Files\Dell\QuickSet\quickset.exe
                      C:\WINDOWS\system32\igfxsrvc.exe
                      C:\Program Files\Apoint\Apoint.exe
                      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
                      C:\WINDOWS\System32\DLA\DLACTRLW.EXE
                      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
                      C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
                      C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
                      C:\Program Files\Apoint\HidFind.exe
                      C:\Program Files\Apoint\Apntex.exe
                      C:\WINDOWS\system32\ctfmon.exe
                      C:\Program Files\Messenger\msmsgs.exe
                      C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                      C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
                      D:\My Documents\HijackThis.exe

                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://workspace.celerant.cc/
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
                      F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
                      O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
                      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
                      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
                      O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
                      O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
                      O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
                      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
                      O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
                      O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
                      O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
                      O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
                      O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
                      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
                      O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe
                      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                      O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
                      O4 - HKCU\..\Run: [GenMCLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe"
                      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
                      O4 - Global Startup: Bluetooth Manager.lnk = ?
                      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
                      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                      O11 - Options group: [INTERNATIONAL] International*
                      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
                      O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wireoneemea.webex.com/client/T23L/webex/ieatgpc.cab
                      O16 - DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - https://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
                      O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.5.1.191.dll
                      O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
                      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                      O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
                      O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe

                      Comment


                      • #12
                        Deze staat er nog:
                        O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\dkelde\LOCALS~1\Temp\services.exe

                        Download Malwarebytes' Anti-Malware op je bureaublad.
                        Dubbelklik mbam-setup.exe en kies voor "Next" om de tool te installeren.
                        Als de installatie voltooid is zet je vinkjes bij "Update MalwareBytes' Anti-Malware" en bij "Launch MalwareBytes' Anti-Malware".
                        Druk daarna op "Finish".
                        Kies in het hoofdscherm voor de tab "Scanner" en selecteer het keuzerondje "Perform full scan".
                        Druk op de knop "Scan" en zorg dat al je harde schijven/partities aangevinkt staan.
                        Druk dan op de knop "Start Scan".
                        Wanneer de scan voltooid is klik je op OK, daarna op "Show Results" om de resultaten te zien.
                        Zorg ervoor dat alles aangevinkt is, klik daarna op "Remove Selected".
                        Als het programma je computer wil laten herstarten, sta je dit toe.
                        Daarna opent een logje(mbam-log-XX-XX-XXXX(xx-xx-xx).txt)
                        Post deze log in je volgende bericht

                        Comment


                        • #13
                          Ik zag m ja, hij is er nu uit. Dat progje had een aantal fouten gevonden, die heb ik gefixt.

                          Hier het log:

                          Malwarebytes' Anti-Malware 1.08
                          Database version: 480

                          Scan type: Full Scan (C:\|D:\|F:\|)
                          Objects scanned: 70374
                          Time elapsed: 10 minute(s), 55 second(s)

                          Memory Processes Infected: 0
                          Memory Modules Infected: 0
                          Registry Keys Infected: 18
                          Registry Values Infected: 0
                          Registry Data Items Infected: 1
                          Folders Infected: 1
                          Files Infected: 10

                          Memory Processes Infected:
                          (No malicious items detected)

                          Memory Modules Infected:
                          (No malicious items detected)

                          Registry Keys Infected:
                          HKEY_CLASSES_ROOT\Interface\{3e6201fa-02dd-4a0b-8699-1328e0602314} (Trojan.Downloader) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\Typelib\{df16c60e-f85b-4459-86ae-4977656339ec} (Trojan.Downloader) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\Interface\{0425aef2-d6bd-4535-a539-4945d6c79e68} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\Typelib\{d6f56b8f-c0f4-4858-b34d-75c08c8e3283} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\CLSID\{24e31ea9-fce2-404f-bd80-20543565d946} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\windowsupdate.windowsupdate (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\windowsupdate.windowsupdate.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\infoxmid (Rootkit.Agent) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\infoxmid (Rootkit.Agent) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\infoxmid (Rootkit.Agent) -> Quarantined and deleted successfully.
                          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UninstallSXS (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_CURRENT_USER\Software\ssnipe (Rogue.SpySnipe) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550o (Rootkit.Agent) -> Quarantined and deleted successfully.
                          HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ekvgsnw.btks (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ekvgsnw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts (Trojan.Downloader) -> Quarantined and deleted successfully.
                          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

                          Registry Values Infected:
                          (No malicious items detected)

                          Registry Data Items Infected:
                          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Heuristic.Reserved.Word.Exploit) -> Data: c:\docume~1\dkelde\locals~1\temp\services.exe -> Delete on reboot.

                          Folders Infected:
                          C:\WINDOWS\system32\x64 (Trojan.Downloader) -> Quarantined and deleted successfully.

                          Files Infected:
                          C:\Deckard\System Scanner\20080310162852\backup\WINDOWS\temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
                          C:\Deckard\System Scanner\20080310172551\backup\WINDOWS\temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
                          C:\System Volume Information\_restore{E2E76D35-FEC6-42EE-B2C4-7DBE323165F5}\RP1\A0000002.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
                          C:\WINDOWS\mrofinu1423.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
                          C:\WINDOWS\mrofinu1423.exe.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
                          C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
                          C:\WINDOWS\inf\wseqnx.inf (Rootkit.Agent) -> Quarantined and deleted successfully.
                          C:\WINDOWS\system32\drivers\symavc32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
                          C:\Documents and Settings\dkelde\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
                          C:\Documents and Settings\dkelde\Local Settings\Temp\services.exe (Heuristic.Reserved.Word.Exploit) -> Delete on reboot.
                          Last edited by Bofelfje; 12-03-08, 11:14.

                          Comment


                          • #14
                            Hoe staat het nu met dde problemen?

                            Comment


                            • #15
                              Hi! Status: virus is weg. Joepie!!! Heb alleen nog wel blauwe schermen zodra ik n muis erin doe, of een netwerkkabel (eigenlijk werken wij hier allemaal op wifi, maar als dat down is pluggen we een kabel in de laptop en de telefoon en we kunnen weer online). Ik werk nu in de safe mode met networking, omdat internet niet wil opstarten in normale mode en ik in normale mode dus de blauwe schermen krijg (driver-irql-not-equal blabla). Zou jij weten waar dat aan ligt?

                              Hij was wel wat aan updates van Microsoft aan het downloaden waarvan er 2 mislukt waren. Als ik straks even tijd heb, fiets ik langs hun update website en check even of ik alle updates heb...

                              Mag ik je zeer en superhartelijk bedanken voor je hulp in deze? Als ik jou was, zou ik solliciteren bij Navisite (de prutsers), hebben ze eindelijk expertise in huis

                              Danielle

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X