Download: RVAXO.exe

• Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
• Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
  Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
• Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
  
• Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
  Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
• Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
• Post de inhoud van de logfile in je volgende bericht.

Download Combofix (mirror) naar je Bureaublad.
Dubbelklik op Combofix.exe
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen(je kan hem ook hier vinden: C:\Combofix.txt)
Plaats deze log in je volgende post.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

---RVAXO.exe Updated: 2008-03-01---first run---
Uninstallers:

Files found:
C:\WINDOWS\system32\Jfs9jg.dll
C:\WINDOWS\system32\Fsd9mk4g.dll
C:\WINDOWS\system32\Fsd9mk4g.dll
C:\WINDOWS\system32\winlig32.dll
C:\WINDOWS\system32\winydp32.dll
C:\WINDOWS\system32\drvsix.dll
C:\WINDOWS\mmall.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\winlagons.exe
C:\Documents and Settings\Administrator\ie_updates3r.exe
C:\WINDOWS\system32\Fsd9mk4g.dll
C:\WINDOWS\myalbum2007.zip
C:\EE.tmp
C:\F0.tmp
C:\F1.tmp
C:\F2.tmp
C:\F3.tmp
C:\F4.tmp
C:\F5.tmp
C:\F7.tmp
C:\F8.tmp
C:\FA.tmp
C:\FB.tmp
C:\FC.tmp

Folders Found:

Hosts-file was reset, If you use a custom hosts file please replace it...

Van combofix werkt de link niet.....

Probeer deze eens: Combofix.exe

Combofix-log:

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Bureaublad"

/wow section - STAGE #3

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\herjt374.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ICF


((((((((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 ))))))))))))))))))))))))))))))))))


2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
2008-03-01 20:08 <DIR> d-------- C:\WINDOWS\pss
2008-03-01 20:08 <DIR> d-------- C:\RVAXO
2008-03-01 20:07 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-03-01 20:07 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-03-01 20:07 49,152 --a------ C:\WINDOWS\system32\Vfind.exe
2008-03-01 20:07 139,776 --a------ C:\WINDOWS\system32\swreg.exe
2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 17:14 <DIR> d--hs---- C:\WINDOWS\CSC
2008-02-28 15:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
2008-02-28 15:18 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
2008-02-28 15:15 4 --a------ C:\WINDOWS\system32\hrpdcf.bin
2008-02-28 15:15 22,447 --a------ C:\WINDOWS\system32\mplink.dll
2008-02-28 15:15 0 --a------ C:\WINDOWS\system32\kl80.bin
2008-02-28 15:13 532,480 --a------ C:\WINDOWS\mm_tmpoc2.exe
2008-02-28 15:13 19,968 --a------ C:\WINDOWS\mmmega.exe
2008-02-28 15:12 19,968 --a------ C:\WINDOWS\mm_tmpmega.exe
2008-02-28 15:11 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-02-28 15:11 5,120 --a------ C:\DOCUME~1\LOCALS~1\ftpdll.dll
2008-02-28 07:48 58,368 --a------ C:\tlmnmae.exe
2008-02-28 07:48 52,236 --a------ C:\qokc.exe
2008-02-28 07:48 5,754 --a------ C:\qgxo.exe
2008-02-28 07:48 172,032 --a------ C:\mbjuwp.exe
2008-02-28 07:47 73,727 --a------ C:\WINDOWS\system32\herjt414.exe
2008-02-28 07:46 58,368 --a------ C:\WINDOWS\system32\herjt427.exe
2008-02-23 00:00 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten
2008-02-22 23:58 123,596 --a------ C:\WINDOWS\system32\herjt388.exe
2008-02-22 20:14 39,424 --a------ C:\WINDOWS\mmhr3.exe
2008-02-22 20:13 532,480 --a------ C:\WINDOWS\mmoc2.exe
2008-02-22 20:13 39,424 --a------ C:\WINDOWS\mm_tmphr3.exe
2008-02-22 20:10 25,202 --a------ C:\WINDOWS\system32\10167952ld.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-28 15:15 167936 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2008-02-24 17:47 -------- d-------- C:\Program Files\msn messenger
2008-02-22 20:05 12800 --a------ C:\WINDOWS\system32\svchost.exe
2008-02-12 19:13 -------- d-------- C:\Program Files\limewire
2008-01-29 21:21 -------- d-------- C:\Program Files\pc wizard 2008
2007-12-14 11:32 12632 --a------ C:\WINDOWS\system32\lsdelete.exe
2007-12-03 22:51 64836 --a------ C:\WINDOWS\system32\perfc013.dat
2007-12-03 22:51 386792 --a------ C:\WINDOWS\system32\perfh013.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"XpDis0Conf"="C:\\PROGRA~1\\Belkin\\BELKIN~1\\Tool\\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=dword:00000002
"Google Online Search Service"=dword:00000002


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft all"="C:\\WINDOWS\\mmall.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"jkdfj94kgdftdf"="C:\\WINDOWS\\TEMP\\winlogan.exe"
"Jnskdfmf9eldfd"="C:\\WINDOWS\\TEMP\\csrssc.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\pcmcia.sys 118784 bytes
C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes
C:\WINDOWS\system32\drivers\processr.sys 36864 bytes
C:\WINDOWS\system32\drivers\psched.sys 69632 bytes
C:\WINDOWS\system32\drivers\ptilink.sys 20480 bytes
C:\WINDOWS\system32\drivers\PxHelp20.sys 45056 bytes
C:\WINDOWS\system32\drivers\rasacd.sys 12288 bytes
C:\WINDOWS\system32\drivers\rasl2tp.sys 49152 bytes
C:\WINDOWS\system32\drivers\raspppoe.sys 40960 bytes
C:\WINDOWS\system32\drivers\raspptp.sys 49152 bytes
C:\WINDOWS\system32\drivers\raspti.sys 20480 bytes
C:\WINDOWS\system32\drivers\rawwan.sys 36864 bytes
C:\WINDOWS\system32\drivers\rdbss.sys 163840 bytes
C:\WINDOWS\system32\drivers\rdpcdd.sys 8192 bytes
C:\WINDOWS\system32\drivers\rdpdr.sys 184320 bytes
C:\WINDOWS\system32\drivers\rdpwd.sys 110592 bytes
C:\WINDOWS\system32\drivers\redbook.sys 57344 bytes
C:\WINDOWS\system32\drivers\rio8drv.sys 12288 bytes
C:\WINDOWS\system32\drivers\riodrv.sys 12288 bytes
C:\WINDOWS\system32\drivers\RMCast.sys 200704 bytes
C:\WINDOWS\system32\drivers\rndismp.sys 28672 bytes
C:\WINDOWS\system32\drivers\rootmdm.sys 8192 bytes
C:\WINDOWS\system32\drivers\SCBaud.cpl 73728 bytes
C:\WINDOWS\system32\drivers\SCBaud.w9x 86016 bytes
C:\WINDOWS\system32\drivers\scsiport.sys 90112 bytes
C:\WINDOWS\system32\drivers\SCTB.VXD 8192 bytes
C:\WINDOWS\system32\drivers\SCTray.exe 40960 bytes
C:\WINDOWS\system32\drivers\secdrv.sys 28672 bytes
C:\WINDOWS\system32\drivers\serenum.sys 16384 bytes
C:\WINDOWS\system32\drivers\serial.sys 65536 bytes
C:\WINDOWS\system32\drivers\sfloppy.sys 12288 bytes
C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes
C:\WINDOWS\system32\drivers\Sgl31.sys 167936 bytes
C:\WINDOWS\system32\drivers\symavc32.sys 167936 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 34

********************************************************************

Completion time: 08-03-03 22:18:23
C:\ComboFix-quarantined-files.txt ... 08-03-03 22:18

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.


@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\system32\ngxt.bin
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\hrpdcf.bin
C:\WINDOWS\system32\mplink.dll
C:\WINDOWS\system32\kl80.bin
C:\WINDOWS\mm_tmpoc2.exe
C:\WINDOWS\mmmega.exe
C:\WINDOWS\mm_tmpmega.exe
C:\WINDOWS\system32\ftpdll.dll
C:\DOCUME~1\LOCALS~1\ftpdll.dll
C:\tlmnmae.exe
C:\qokc.exe
C:\qgxo.exe
C:\mbjuwp.exe
C:\WINDOWS\system32\herjt414.exe
C:\WINDOWS\system32\herjt427.exe
C:\WINDOWS\system32\herjt388.exe
C:\WINDOWS\mmhr3.exe
C:\WINDOWS\mmoc2.exe
C:\WINDOWS\mm_tmphr3.exe
C:\WINDOWS\system32\10167952ld.exe
C:\WINDOWS\system32\drivers\symavc32.sys) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

Post ook een nieuw logje van Combofix

Logfile:

Deleting files
C:\WINDOWS\system32\ngxt.bin deleted
C:\WINDOWS\system32\fprot.sys not deleted
C:\WINDOWS\system32\hrpdcf.bin deleted
C:\WINDOWS\system32\mplink.dll not deleted
C:\WINDOWS\system32\kl80.bin deleted
C:\WINDOWS\mm_tmpoc2.exe deleted
C:\WINDOWS\mmmega.exe deleted
C:\WINDOWS\mm_tmpmega.exe deleted
C:\WINDOWS\system32\ftpdll.dll deleted
C:\DOCUME~1\LOCALS~1\ftpdll.dll deleted
C:\tlmnmae.exe deleted
C:\qokc.exe deleted
C:\qgxo.exe deleted
C:\mbjuwp.exe deleted
C:\WINDOWS\system32\herjt414.exe deleted
C:\WINDOWS\system32\herjt427.exe deleted
C:\WINDOWS\system32\herjt388.exe deleted
C:\WINDOWS\mmhr3.exe deleted
C:\WINDOWS\mmoc2.exe deleted
C:\WINDOWS\mm_tmphr3.exe deleted
C:\WINDOWS\system32\10167952ld.exe deleted
C:\WINDOWS\system32\drivers\symavc32.sys not found


Combofix-log:

ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Bureaublad"

/wow section - STAGE #3

((((((((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))))))


2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
2008-03-01 20:08 <DIR> d-------- C:\WINDOWS\pss
2008-03-01 20:08 <DIR> d-------- C:\RVAXO
2008-03-01 20:07 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-03-01 20:07 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-03-01 20:07 49,152 --a------ C:\WINDOWS\system32\Vfind.exe
2008-03-01 20:07 139,776 --a------ C:\WINDOWS\system32\swreg.exe
2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 17:14 <DIR> d--hs---- C:\WINDOWS\CSC
2008-02-28 15:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
2008-02-28 15:15 22,447 --a------ C:\WINDOWS\system32\mplink.dll
2008-02-23 00:00 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-28 15:15 167936 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
2008-02-24 17:47 -------- d-------- C:\Program Files\msn messenger
2008-02-22 20:05 12800 --a------ C:\WINDOWS\system32\svchost.exe
2008-02-12 19:13 -------- d-------- C:\Program Files\limewire
2008-01-29 21:21 -------- d-------- C:\Program Files\pc wizard 2008
2007-12-14 11:32 12632 --a------ C:\WINDOWS\system32\lsdelete.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"XpDis0Conf"="C:\\PROGRA~1\\Belkin\\BELKIN~1\\Tool\\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=dword:00000002
"Google Online Search Service"=dword:00000002


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft all"="C:\\WINDOWS\\mmall.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"jkdfj94kgdftdf"="C:\\WINDOWS\\TEMP\\winlogan.exe"
"Jnskdfmf9eldfd"="C:\\WINDOWS\\TEMP\\csrssc.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\pcmcia.sys 118784 bytes
C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes
C:\WINDOWS\system32\drivers\processr.sys 36864 bytes
C:\WINDOWS\system32\drivers\psched.sys 69632 bytes
C:\WINDOWS\system32\drivers\ptilink.sys 20480 bytes
C:\WINDOWS\system32\drivers\PxHelp20.sys 45056 bytes
C:\WINDOWS\system32\drivers\rasacd.sys 12288 bytes
C:\WINDOWS\system32\drivers\rasl2tp.sys 49152 bytes
C:\WINDOWS\system32\drivers\raspppoe.sys 40960 bytes
C:\WINDOWS\system32\drivers\raspptp.sys 49152 bytes
C:\WINDOWS\system32\drivers\raspti.sys 20480 bytes
C:\WINDOWS\system32\drivers\rawwan.sys 36864 bytes
C:\WINDOWS\system32\drivers\rdbss.sys 163840 bytes
C:\WINDOWS\system32\drivers\rdpcdd.sys 8192 bytes
C:\WINDOWS\system32\drivers\rdpdr.sys 184320 bytes
C:\WINDOWS\system32\drivers\rdpwd.sys 110592 bytes
C:\WINDOWS\system32\drivers\redbook.sys 57344 bytes
C:\WINDOWS\system32\drivers\rio8drv.sys 12288 bytes
C:\WINDOWS\system32\drivers\riodrv.sys 12288 bytes
C:\WINDOWS\system32\drivers\RMCast.sys 200704 bytes
C:\WINDOWS\system32\drivers\rndismp.sys 28672 bytes
C:\WINDOWS\system32\drivers\rootmdm.sys 8192 bytes
C:\WINDOWS\system32\drivers\SCBaud.cpl 73728 bytes
C:\WINDOWS\system32\drivers\SCBaud.w9x 86016 bytes
C:\WINDOWS\system32\drivers\scsiport.sys 90112 bytes
C:\WINDOWS\system32\drivers\SCTB.VXD 8192 bytes
C:\WINDOWS\system32\drivers\SCTray.exe 40960 bytes
C:\WINDOWS\system32\drivers\secdrv.sys 28672 bytes
C:\WINDOWS\system32\drivers\serenum.sys 16384 bytes
C:\WINDOWS\system32\drivers\serial.sys 65536 bytes
C:\WINDOWS\system32\drivers\sfloppy.sys 12288 bytes
C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes
C:\WINDOWS\system32\drivers\Sgl31.sys 167936 bytes
C:\WINDOWS\system32\drivers\symavc32.sys 167936 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 34

********************************************************************

Completion time: 08-03-05 19:20:05
C:\ComboFix-quarantined-files.txt ... 08-03-05 19:20
C:\ComboFix2.txt ... 08-03-03 22:18

Start de computer in veilige modus.

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.


@ECHO OFF
IF EXIST log.txt DEL log.txt
ren C:\WINDOWS\system32\mplink.dll mplink.bak
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\drivers\Sgl31.sys
C:\WINDOWS\system32\mplink.dll
C:\WINDOWS\system32\mplink.bak
C:\WINDOWS\system32\drivers\symavc32.sys) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
remove C:\WINDOWS\system32\mplink.bak C:\RVAXO\mplink.bak
remove C:\WINDOWS\system32\mplink.dll C:\RVAXO\mplink.dll
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.


Bewaar de logfile.
Herstart naar normale modus en post het nieuwe logje.

Kijk nu ook even of je deze versie van Combofix downloaden kunt:


Zo ja, maak daar een logje mee en post dat in je volgende bericht

Logje:

Deleting files
C:\WINDOWS\system32\fprot.sys not deleted
C:\WINDOWS\system32\drivers\Sgl31.sys not found
C:\WINDOWS\system32\mplink.dll not found
C:\WINDOWS\system32\mplink.bak not deleted
C:\WINDOWS\system32\drivers\symavc32.sys not found

Nieuwe versie Combofix-log:

ComboFix 08-03-05.1 - Administrator 2008-03-05 22:49:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.31.1043.18.263 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\ComboFix.exe

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.
ADS - svchost.exe: deleted 28160 bytes in 1 streams.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\system\hipsrv.mm
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\NdisWon.sys
C:\WINDOWS\system32\drivers\symavc32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NDISWON
-------\LEGACY_SGL31
-------\LEGACY_SYMAVC32
-------\hipsrv


(((((((((((((((((((( Bestanden Gemaakt van 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))
.

2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
2008-03-01 20:08 . 2008-03-05 22:43 <DIR> d-------- C:\RVAXO
2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 18:19 . 2008-03-01 18:19 86 --a------ C:\WINDOWS\wininit.ini
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:37 . 2008-02-24 02:13 409,841 --a------ C:\24022008277.jpg
2008-03-01 17:37 . 2008-02-24 02:14 394,897 --a------ C:\24022008278.jpg
2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-28 15:15 . 2008-02-28 15:15 167,936 --a------ C:\WINDOWS\system32\drivers\Sgl31.sys
2008-02-28 15:15 . 2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
2008-02-28 15:14 . 2008-02-28 15:14 10,000 --a------ C:\WINDOWS\system32\badfile.rvaxo
2008-02-28 15:13 . 2008-03-01 16:35 4 --a------ C:\WINDOWS\c.pid
2008-02-28 15:11 . 2008-02-28 15:11 29 --a------ C:\WINDOWS\system32\uafgdqit.tmp
2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten
2008-02-22 20:04 . 2008-03-01 16:37 44 --a------ C:\WINDOWS\system32\svchost.t__
2008-02-22 20:01 . 2008-03-01 16:38 311 --a------ C:\WINDOWS\system32\winlogans.tmp
2008-02-12 18:37 . 2008-02-12 18:37 24,576 --a------ C:\WINDOWS\system32\win32.bad

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-22 19:05 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
2008-01-22 19:44 --------- d-----w C:\Program Files\Java
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
"XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]
"Microsoft all"="C:\WINDOWS\mmall.exe" [ ]
"jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
"Jnskdfmf9eldfd"="C:\WINDOWS\TEMP\csrssc.exe" [ ]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]
mplink.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]
winlig32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"Google Online Search Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 fprot;FT StarForce Protector;C:\WINDOWS\System32\fprot.sys [2008-02-28 15:15]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]
S4 Google Online Search Service;Google Online Search Service;C:\WINDOWS\System32\winlagons.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:53:54
Windows 5.1.2600 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\devldr32.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\avtask.exe
.
**************************************************************************
.
Voltooingstijd: 2008-03-05 22:57:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 21:57:20
ComboFix2.txt 2008-03-05 18:20:05

Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:


File::
C:\WINDOWS\wininit.ini
C:\24022008277.jpg
C:\24022008278.jpg
C:\WINDOWS\system32\drivers\Sgl31.sys
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\badfile.rvaxo
C:\WINDOWS\c.pid
C:\WINDOWS\system32\uafgdqit.tmp
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\winlogans.tmp
C:\WINDOWS\system32\win32.bad

Driver::
Google Online Search Service
fprot

Folder::
C:\RVAXO

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft all"=-
"jkdfj94kgdftdf"=-
"Jnskdfmf9eldfd"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]



Sla dit op op je Bureaublad als CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.

ComboFix 08-03-05.1 - Administrator 2008-03-05 23:13:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.330 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combofix.exe
Command switches used :: C:\Documents and Settings\Administrator\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\24022008277.jpg
C:\24022008278.jpg
C:\WINDOWS\c.pid
C:\WINDOWS\system32\badfile.rvaxo
C:\WINDOWS\system32\drivers\Sgl31.sys
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\uafgdqit.tmp
C:\WINDOWS\system32\win32.bad
C:\WINDOWS\system32\winlogans.tmp
C:\WINDOWS\wininit.ini
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\24022008277.jpg
C:\24022008278.jpg
C:\RVAXO
C:\RVAXO\1a.reg
C:\RVAXO\3a.reg
C:\RVAXO\Fsd9mk4g.dll
C:\RVAXO\ie_updates3r.exe
C:\RVAXO\mmall.exe
C:\RVAXO\mplink.bak
C:\RVAXO\myalbum2007.zip
C:\RVAXO\qmgr0.dat
C:\RVAXO\RVAXO3
C:\RVAXO\spools.exe
C:\RVAXO\ssodl.reg
C:\RVAXO\sts.reg
C:\RVAXO\winlagons.exe
C:\WINDOWS\c.pid
C:\WINDOWS\system32\badfile.rvaxo
C:\WINDOWS\system32\drivers\Sgl31.sys
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\uafgdqit.tmp
C:\WINDOWS\system32\win32.bad
C:\WINDOWS\system32\winlogans.tmp
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FPROT
-------\LEGACY_GOOGLE_ONLINE_SEARCH_SERVICE
-------\fprot
-------\Google Online Search Service


(((((((((((((((((((( Bestanden Gemaakt van 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))
.

2008-03-05 23:12 . 2008-03-05 23:14 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-22 19:05 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
2008-01-22 19:44 --------- d-----w C:\Program Files\Java
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
"XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"Google Online Search Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 23:18:07
Windows 5.1.2600 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\devldr32.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Voltooingstijd: 2008-03-05 23:25:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 22:25:20
ComboFix2.txt 2008-03-05 21:57:45
ComboFix3.txt 2008-03-05 18:20:05

TeaTimer van Spybot is actief, deze moet uitgeschakeld worden omdat deze wijzigingen met Hijackthis weer ongedaan gaat maken.

Spybot openen > Modus > Geavanceerde modus > Gereedschap > Resident > TeaTimer uitschakelen > PC Herstarten

Download het volgende naar je bureaublad:

Dubbelklik daarna op ResetTeaTimer.bat.
Dit zal de voorgaande items die je toegelaten hebt of geblokkeerd hebt via teatimer terug resetten.

Maak CFscript.txt even opnieuw aan en sleep deze over Combofix.exe zoals je dat eerder deed.
Post het nieuwe logje van Combofix tesamen met een nieuw logje van Hijackthis.
Vertel ook of er nog problemen zijn

Teatimer uitgezet --> Combofix-log:

ComboFix 08-03-05.1 - Administrator 2008-03-06 20:45:12.3 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combofix.exe
Command switches used :: C:\Documents and Settings\Administrator\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\24022008277.jpg
C:\24022008278.jpg
C:\WINDOWS\c.pid
C:\WINDOWS\system32\badfile.rvaxo
C:\WINDOWS\system32\drivers\Sgl31.sys
C:\WINDOWS\system32\fprot.sys
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\uafgdqit.tmp
C:\WINDOWS\system32\win32.bad
C:\WINDOWS\system32\winlogans.tmp
C:\WINDOWS\wininit.ini
.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))
.

2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
2008-01-22 19:44 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
"XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"Google Online Search Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 20:51:03
Windows 5.1.2600 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\devldr32.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Voltooingstijd: 2008-03-06 20:56:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 19:56:26
ComboFix2.txt 2008-03-05 22:25:38
ComboFix3.txt 2008-03-05 21:57:45
ComboFix4.txt 2008-03-05 18:20:05


HijackThis-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:28, on 6-3-2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\devldr32.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nucia.eu/forum/showthread.php?t=34998
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://80.127.203.59/ConnectComputer/nshelp.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves.net/statics/Aurigma/ImageUploader4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

--
End of file - 7480 bytes

PC is erg traag.
Heb nog geen fout-meldingen of rare dingen gezien.

Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
Dit zal alles van RVAXO doen verwijderen.

Je Java software is verouderd.
Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:

• Download Java Runtime Environment (JRE) 6u5 en bewaar het naar je Bureaublad.
• Sluit alle programma's die eventueel open zijn - Zeker je web browser!
• Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
• Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
• Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
• Herhaal dit tot alle oudere versies verdwenen zijn.
• Na het verwijderen van alle oudere versies, herstart je pc.
• Dubbelklik vervolgens op jre-6u5-windows-i586-p-s.exe op je Bureaublad om de nieuwste versie van Java te installeren.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Ga naar Start - Uitvoeren en geef hier het volgende in:
Combofix /U
Druk daarna op OK.
Let op: Er moet een spatie tussen Combofix en /U zitten.

Dit zal Combofix deïnstalleren.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Vertel of er verbetering is

PC is wel sneller geworden (zoals normaal) kan alleen geen afbeeldingen zien op internet.
Dat is volgens mij het enige manco nog.
Opgelost, bedankt voor de hulp en ik hou het even in de gaten nog, maar het ziet er voorlopig weer prima uit