Mededeling

Collapse
No announcement yet.

Oude pc vol met troep

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Oude pc vol met troep

    Hallo allemaal,

    Ik ben zeer te spreken over de service op deze site, en heb nog een oud barrel staan, waarmee ik wat standaard-dingen doe.
    Maar nu zat ik laatst op een website en ineens kreeg ik diverse meldingen over een virus binnen via Panda.
    Hierbij mijn HijackThis-log met wss heel veel troep erin, hoop dat jullie me weer kunnen helpen deze oude rakker er weer wat gebruiksvriendelijker op te maken :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:23:52, on 1-3-2008
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS02
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F3 - REG:win.ini: run=C:\WINDOWS\mmall.exe
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: WindowsUpdate Class - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - C:\WINDOWS\TEMP\ieobj.dll
    O2 - BHO: C:\WINDOWS\System32\Jfs9jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Jfs9jg.dll
    O2 - BHO: C:\WINDOWS\System32\Fsd9mk4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Fsd9mk4g.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
    O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft all] C:\WINDOWS\mmall.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
    O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://80.127.203.59/ConnectComputer/nshelp.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves.net/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O20 - Winlogon Notify: mplink - C:\WINDOWS\SYSTEM32\mplink.dll
    O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documenten\Settings\partnership.dll
    O20 - Winlogon Notify: winlig32 - C:\WINDOWS\SYSTEM32\winlig32.dll
    O21 - SSODL: system32 - {AB57025F-F248-42FE-A5C7-FE5015484455} - sysprinters.dll (file missing)
    O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Jfs9jg.dll
    O22 - SharedTaskScheduler: JKhfj3ofgfgdtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Fsd9mk4g.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\System32\winlagons.exe
    O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

    --
    End of file - 8428 bytes

  • #2
    Download: RVAXO.exe
    • Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    • Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
      Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    • Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    • Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
      Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
    • Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
    • Post de inhoud van de logfile in je volgende bericht.


    Download Combofix (mirror) naar je Bureaublad.
    Dubbelklik op Combofix.exe
    Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
    Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen(je kan hem ook hier vinden: C:\Combofix.txt)
    Plaats deze log in je volgende post.

    NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Comment


    • #3
      ---RVAXO.exe Updated: 2008-03-01---first run---
      Uninstallers:

      Files found:
      C:\WINDOWS\system32\Jfs9jg.dll
      C:\WINDOWS\system32\Fsd9mk4g.dll
      C:\WINDOWS\system32\Fsd9mk4g.dll
      C:\WINDOWS\system32\winlig32.dll
      C:\WINDOWS\system32\winydp32.dll
      C:\WINDOWS\system32\drvsix.dll
      C:\WINDOWS\mmall.exe
      C:\WINDOWS\system32\drivers\spools.exe
      C:\WINDOWS\system32\winlagons.exe
      C:\Documents and Settings\Administrator\ie_updates3r.exe
      C:\WINDOWS\system32\Fsd9mk4g.dll
      C:\WINDOWS\myalbum2007.zip
      C:\EE.tmp
      C:\F0.tmp
      C:\F1.tmp
      C:\F2.tmp
      C:\F3.tmp
      C:\F4.tmp
      C:\F5.tmp
      C:\F7.tmp
      C:\F8.tmp
      C:\FA.tmp
      C:\FB.tmp
      C:\FC.tmp

      Folders Found:

      Hosts-file was reset, If you use a custom hosts file please replace it...

      Van combofix werkt de link niet.....

      Comment


      • #4
        Probeer deze eens: Combofix.exe

        Comment


        • #5
          Combofix-log:

          ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Bureaublad"

          /wow section - STAGE #3

          (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


          C:\WINDOWS\system32\herjt374.exe


          ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


          -------\LEGACY_ICF


          ((((((((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 ))))))))))))))))))))))))))))))))))


          2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
          2008-03-01 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
          2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
          2008-03-01 20:08 <DIR> d-------- C:\WINDOWS\pss
          2008-03-01 20:08 <DIR> d-------- C:\RVAXO
          2008-03-01 20:07 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
          2008-03-01 20:07 69,632 --a------ C:\WINDOWS\system32\remove.exe
          2008-03-01 20:07 49,152 --a------ C:\WINDOWS\system32\Vfind.exe
          2008-03-01 20:07 139,776 --a------ C:\WINDOWS\system32\swreg.exe
          2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
          2008-03-01 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
          2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
          2008-03-01 17:14 <DIR> d--hs---- C:\WINDOWS\CSC
          2008-02-28 15:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
          2008-02-28 15:18 7 --a------ C:\WINDOWS\system32\ngxt.bin
          2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
          2008-02-28 15:15 4 --a------ C:\WINDOWS\system32\hrpdcf.bin
          2008-02-28 15:15 22,447 --a------ C:\WINDOWS\system32\mplink.dll
          2008-02-28 15:15 0 --a------ C:\WINDOWS\system32\kl80.bin
          2008-02-28 15:13 532,480 --a------ C:\WINDOWS\mm_tmpoc2.exe
          2008-02-28 15:13 19,968 --a------ C:\WINDOWS\mmmega.exe
          2008-02-28 15:12 19,968 --a------ C:\WINDOWS\mm_tmpmega.exe
          2008-02-28 15:11 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
          2008-02-28 15:11 5,120 --a------ C:\DOCUME~1\LOCALS~1\ftpdll.dll
          2008-02-28 07:48 58,368 --a------ C:\tlmnmae.exe
          2008-02-28 07:48 52,236 --a------ C:\qokc.exe
          2008-02-28 07:48 5,754 --a------ C:\qgxo.exe
          2008-02-28 07:48 172,032 --a------ C:\mbjuwp.exe
          2008-02-28 07:47 73,727 --a------ C:\WINDOWS\system32\herjt414.exe
          2008-02-28 07:46 58,368 --a------ C:\WINDOWS\system32\herjt427.exe
          2008-02-23 00:00 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten
          2008-02-22 23:58 123,596 --a------ C:\WINDOWS\system32\herjt388.exe
          2008-02-22 20:14 39,424 --a------ C:\WINDOWS\mmhr3.exe
          2008-02-22 20:13 532,480 --a------ C:\WINDOWS\mmoc2.exe
          2008-02-22 20:13 39,424 --a------ C:\WINDOWS\mm_tmphr3.exe
          2008-02-22 20:10 25,202 --a------ C:\WINDOWS\system32\10167952ld.exe


          (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


          2008-02-28 15:15 167936 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
          2008-02-24 17:47 -------- d-------- C:\Program Files\msn messenger
          2008-02-22 20:05 12800 --a------ C:\WINDOWS\system32\svchost.exe
          2008-02-12 19:13 -------- d-------- C:\Program Files\limewire
          2008-01-29 21:21 -------- d-------- C:\Program Files\pc wizard 2008
          2007-12-14 11:32 12632 --a------ C:\WINDOWS\system32\lsdelete.exe
          2007-12-03 22:51 64836 --a------ C:\WINDOWS\system32\perfc013.dat
          2007-12-03 22:51 386792 --a------ C:\WINDOWS\system32\perfh013.dat


          (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

          *Note* empty entries & legit default entries are not shown

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
          "CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
          "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
          "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
          "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
          "APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
          "XpDis0Conf"="C:\\PROGRA~1\\Belkin\\BELKIN~1\\Tool\\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d"
          "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
          "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
          "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
          "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
          "Installed"="1"
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
          "NoChange"="1"
          "Installed"="1"
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
          "Installed"="1"
          @=""

          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
          "LightScribeService"=dword:00000002
          "Google Online Search Service"=dword:00000002


          [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
          "Microsoft all"="C:\\WINDOWS\\mmall.exe"
          "autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"
          "ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
          "jkdfj94kgdftdf"="C:\\WINDOWS\\TEMP\\winlogan.exe"
          "Jnskdfmf9eldfd"="C:\\WINDOWS\\TEMP\\csrssc.exe"

          [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
          "NoSetActiveDesktop"=dword:00000001
          "NoActiveDesktopChanges"=dword:00000000

          [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

          [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
          "NoSetActiveDesktop"=dword:00000001
          "NoActiveDesktopChanges"=dword:00000000

          [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

          HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
          HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
          HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32

          [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
          "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

          HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
          Authentication Packages REG_MULTI_SZ msv1_0\0\0
          Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
          Notification Packages REG_MULTI_SZ scecli\0\0

          HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
          HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved

          [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
          LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
          NetworkService REG_MULTI_SZ DnsCache\0\0
          rpcss REG_MULTI_SZ RpcSs\0\0
          imgsvc REG_MULTI_SZ StiSvc\0\0
          termsvcs REG_MULTI_SZ TermService\0\0



          ********************************************************************

          catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
          http://www.gmer.net

          scanning hidden processes ...

          scanning hidden services ...

          scanning hidden autostart entries ...

          scanning hidden files ...

          C:\WINDOWS\system32\drivers\pcmcia.sys 118784 bytes
          C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes
          C:\WINDOWS\system32\drivers\processr.sys 36864 bytes
          C:\WINDOWS\system32\drivers\psched.sys 69632 bytes
          C:\WINDOWS\system32\drivers\ptilink.sys 20480 bytes
          C:\WINDOWS\system32\drivers\PxHelp20.sys 45056 bytes
          C:\WINDOWS\system32\drivers\rasacd.sys 12288 bytes
          C:\WINDOWS\system32\drivers\rasl2tp.sys 49152 bytes
          C:\WINDOWS\system32\drivers\raspppoe.sys 40960 bytes
          C:\WINDOWS\system32\drivers\raspptp.sys 49152 bytes
          C:\WINDOWS\system32\drivers\raspti.sys 20480 bytes
          C:\WINDOWS\system32\drivers\rawwan.sys 36864 bytes
          C:\WINDOWS\system32\drivers\rdbss.sys 163840 bytes
          C:\WINDOWS\system32\drivers\rdpcdd.sys 8192 bytes
          C:\WINDOWS\system32\drivers\rdpdr.sys 184320 bytes
          C:\WINDOWS\system32\drivers\rdpwd.sys 110592 bytes
          C:\WINDOWS\system32\drivers\redbook.sys 57344 bytes
          C:\WINDOWS\system32\drivers\rio8drv.sys 12288 bytes
          C:\WINDOWS\system32\drivers\riodrv.sys 12288 bytes
          C:\WINDOWS\system32\drivers\RMCast.sys 200704 bytes
          C:\WINDOWS\system32\drivers\rndismp.sys 28672 bytes
          C:\WINDOWS\system32\drivers\rootmdm.sys 8192 bytes
          C:\WINDOWS\system32\drivers\SCBaud.cpl 73728 bytes
          C:\WINDOWS\system32\drivers\SCBaud.w9x 86016 bytes
          C:\WINDOWS\system32\drivers\scsiport.sys 90112 bytes
          C:\WINDOWS\system32\drivers\SCTB.VXD 8192 bytes
          C:\WINDOWS\system32\drivers\SCTray.exe 40960 bytes
          C:\WINDOWS\system32\drivers\secdrv.sys 28672 bytes
          C:\WINDOWS\system32\drivers\serenum.sys 16384 bytes
          C:\WINDOWS\system32\drivers\serial.sys 65536 bytes
          C:\WINDOWS\system32\drivers\sfloppy.sys 12288 bytes
          C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes
          C:\WINDOWS\system32\drivers\Sgl31.sys 167936 bytes
          C:\WINDOWS\system32\drivers\symavc32.sys 167936 bytes

          scan completed successfully
          hidden processes: 0
          hidden services: 0
          hidden files: 34

          ********************************************************************

          Completion time: 08-03-03 22:18:23
          C:\ComboFix-quarantined-files.txt ... 08-03-03 22:18

          Comment


          • #6
            Open een kladblokbestand.
            Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.


            @ECHO OFF
            IF EXIST log.txt DEL log.txt
            ECHO Deleting files>>log.txt
            FOR %%g in (
            C:\WINDOWS\system32\ngxt.bin
            C:\WINDOWS\system32\fprot.sys
            C:\WINDOWS\system32\hrpdcf.bin
            C:\WINDOWS\system32\mplink.dll
            C:\WINDOWS\system32\kl80.bin
            C:\WINDOWS\mm_tmpoc2.exe
            C:\WINDOWS\mmmega.exe
            C:\WINDOWS\mm_tmpmega.exe
            C:\WINDOWS\system32\ftpdll.dll
            C:\DOCUME~1\LOCALS~1\ftpdll.dll
            C:\tlmnmae.exe
            C:\qokc.exe
            C:\qgxo.exe
            C:\mbjuwp.exe
            C:\WINDOWS\system32\herjt414.exe
            C:\WINDOWS\system32\herjt427.exe
            C:\WINDOWS\system32\herjt388.exe
            C:\WINDOWS\mmhr3.exe
            C:\WINDOWS\mmoc2.exe
            C:\WINDOWS\mm_tmphr3.exe
            C:\WINDOWS\system32\10167952ld.exe
            C:\WINDOWS\system32\drivers\symavc32.sys) DO (
            IF EXIST %%g (
            ATTRIB -r -s -h %%g
            DEL %%g
            IF EXIST %%g (
            ECHO %%g not deleted>>log.txt
            ) ELSE (
            ECHO %%g deleted>>log.txt)
            ) ELSE (
            ECHO %%g not found>>log.txt))
            START NOTEPAD.EXE log.txt

            Ga naar Bestand - Opslaan als.
            Bij "Opslaan in" kies je: Bureaublad
            Bij "Bestandsnaam" zet je: del.bat
            Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
            Klik op de knop Opslaan.

            Dubbelklik op del.bat en post de inhoud van de logfile die opent.

            Post ook een nieuw logje van Combofix

            Comment


            • #7
              Logfile:

              Deleting files
              C:\WINDOWS\system32\ngxt.bin deleted
              C:\WINDOWS\system32\fprot.sys not deleted
              C:\WINDOWS\system32\hrpdcf.bin deleted
              C:\WINDOWS\system32\mplink.dll not deleted
              C:\WINDOWS\system32\kl80.bin deleted
              C:\WINDOWS\mm_tmpoc2.exe deleted
              C:\WINDOWS\mmmega.exe deleted
              C:\WINDOWS\mm_tmpmega.exe deleted
              C:\WINDOWS\system32\ftpdll.dll deleted
              C:\DOCUME~1\LOCALS~1\ftpdll.dll deleted
              C:\tlmnmae.exe deleted
              C:\qokc.exe deleted
              C:\qgxo.exe deleted
              C:\mbjuwp.exe deleted
              C:\WINDOWS\system32\herjt414.exe deleted
              C:\WINDOWS\system32\herjt427.exe deleted
              C:\WINDOWS\system32\herjt388.exe deleted
              C:\WINDOWS\mmhr3.exe deleted
              C:\WINDOWS\mmoc2.exe deleted
              C:\WINDOWS\mm_tmphr3.exe deleted
              C:\WINDOWS\system32\10167952ld.exe deleted
              C:\WINDOWS\system32\drivers\symavc32.sys not found


              Combofix-log:

              ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Administrator\Bureaublad"

              /wow section - STAGE #3

              ((((((((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))))))


              2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
              2008-03-01 20:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
              2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
              2008-03-01 20:08 <DIR> d-------- C:\WINDOWS\pss
              2008-03-01 20:08 <DIR> d-------- C:\RVAXO
              2008-03-01 20:07 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
              2008-03-01 20:07 69,632 --a------ C:\WINDOWS\system32\remove.exe
              2008-03-01 20:07 49,152 --a------ C:\WINDOWS\system32\Vfind.exe
              2008-03-01 20:07 139,776 --a------ C:\WINDOWS\system32\swreg.exe
              2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
              2008-03-01 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
              2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
              2008-03-01 17:14 <DIR> d--hs---- C:\WINDOWS\CSC
              2008-02-28 15:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
              2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
              2008-02-28 15:15 22,447 --a------ C:\WINDOWS\system32\mplink.dll
              2008-02-23 00:00 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten


              (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


              2008-02-28 15:15 167936 --a------ C:\WINDOWS\system32\drivers\symavc32.sys
              2008-02-24 17:47 -------- d-------- C:\Program Files\msn messenger
              2008-02-22 20:05 12800 --a------ C:\WINDOWS\system32\svchost.exe
              2008-02-12 19:13 -------- d-------- C:\Program Files\limewire
              2008-01-29 21:21 -------- d-------- C:\Program Files\pc wizard 2008
              2007-12-14 11:32 12632 --a------ C:\WINDOWS\system32\lsdelete.exe


              (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

              *Note* empty entries & legit default entries are not shown

              [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
              "CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
              "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
              "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
              "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
              "APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
              "XpDis0Conf"="C:\\PROGRA~1\\Belkin\\BELKIN~1\\Tool\\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d"
              "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
              "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
              "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
              "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
              @=""

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
              "Installed"="1"
              @=""

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
              "NoChange"="1"
              "Installed"="1"
              @=""

              [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
              "Installed"="1"
              @=""

              [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
              "LightScribeService"=dword:00000002
              "Google Online Search Service"=dword:00000002


              [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
              "Microsoft all"="C:\\WINDOWS\\mmall.exe"
              "autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"
              "ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
              "jkdfj94kgdftdf"="C:\\WINDOWS\\TEMP\\winlogan.exe"
              "Jnskdfmf9eldfd"="C:\\WINDOWS\\TEMP\\csrssc.exe"

              [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
              "NoSetActiveDesktop"=dword:00000001
              "NoActiveDesktopChanges"=dword:00000000

              [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

              [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
              "NoSetActiveDesktop"=dword:00000001
              "NoActiveDesktopChanges"=dword:00000000

              [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

              HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
              HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
              HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32

              [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
              "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

              HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
              Authentication Packages REG_MULTI_SZ msv1_0\0\0
              Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
              Notification Packages REG_MULTI_SZ scecli\0\0

              HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
              HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\System Reserved

              [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
              LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
              NetworkService REG_MULTI_SZ DnsCache\0\0
              rpcss REG_MULTI_SZ RpcSs\0\0
              imgsvc REG_MULTI_SZ StiSvc\0\0
              termsvcs REG_MULTI_SZ TermService\0\0



              ********************************************************************

              catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
              http://www.gmer.net

              scanning hidden processes ...

              scanning hidden services ...

              scanning hidden autostart entries ...

              scanning hidden files ...

              C:\WINDOWS\system32\drivers\pcmcia.sys 118784 bytes
              C:\WINDOWS\system32\drivers\portcls.sys 135168 bytes
              C:\WINDOWS\system32\drivers\processr.sys 36864 bytes
              C:\WINDOWS\system32\drivers\psched.sys 69632 bytes
              C:\WINDOWS\system32\drivers\ptilink.sys 20480 bytes
              C:\WINDOWS\system32\drivers\PxHelp20.sys 45056 bytes
              C:\WINDOWS\system32\drivers\rasacd.sys 12288 bytes
              C:\WINDOWS\system32\drivers\rasl2tp.sys 49152 bytes
              C:\WINDOWS\system32\drivers\raspppoe.sys 40960 bytes
              C:\WINDOWS\system32\drivers\raspptp.sys 49152 bytes
              C:\WINDOWS\system32\drivers\raspti.sys 20480 bytes
              C:\WINDOWS\system32\drivers\rawwan.sys 36864 bytes
              C:\WINDOWS\system32\drivers\rdbss.sys 163840 bytes
              C:\WINDOWS\system32\drivers\rdpcdd.sys 8192 bytes
              C:\WINDOWS\system32\drivers\rdpdr.sys 184320 bytes
              C:\WINDOWS\system32\drivers\rdpwd.sys 110592 bytes
              C:\WINDOWS\system32\drivers\redbook.sys 57344 bytes
              C:\WINDOWS\system32\drivers\rio8drv.sys 12288 bytes
              C:\WINDOWS\system32\drivers\riodrv.sys 12288 bytes
              C:\WINDOWS\system32\drivers\RMCast.sys 200704 bytes
              C:\WINDOWS\system32\drivers\rndismp.sys 28672 bytes
              C:\WINDOWS\system32\drivers\rootmdm.sys 8192 bytes
              C:\WINDOWS\system32\drivers\SCBaud.cpl 73728 bytes
              C:\WINDOWS\system32\drivers\SCBaud.w9x 86016 bytes
              C:\WINDOWS\system32\drivers\scsiport.sys 90112 bytes
              C:\WINDOWS\system32\drivers\SCTB.VXD 8192 bytes
              C:\WINDOWS\system32\drivers\SCTray.exe 40960 bytes
              C:\WINDOWS\system32\drivers\secdrv.sys 28672 bytes
              C:\WINDOWS\system32\drivers\serenum.sys 16384 bytes
              C:\WINDOWS\system32\drivers\serial.sys 65536 bytes
              C:\WINDOWS\system32\drivers\sfloppy.sys 12288 bytes
              C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes
              C:\WINDOWS\system32\drivers\Sgl31.sys 167936 bytes
              C:\WINDOWS\system32\drivers\symavc32.sys 167936 bytes

              scan completed successfully
              hidden processes: 0
              hidden services: 0
              hidden files: 34

              ********************************************************************

              Completion time: 08-03-05 19:20:05
              C:\ComboFix-quarantined-files.txt ... 08-03-05 19:20
              C:\ComboFix2.txt ... 08-03-03 22:18

              Comment


              • #8
                Start de computer in veilige modus.

                Open een kladblokbestand.
                Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.


                @ECHO OFF
                IF EXIST log.txt DEL log.txt
                ren C:\WINDOWS\system32\mplink.dll mplink.bak
                ECHO Deleting files>>log.txt
                FOR %%g in (
                C:\WINDOWS\system32\fprot.sys
                C:\WINDOWS\system32\drivers\Sgl31.sys
                C:\WINDOWS\system32\mplink.dll
                C:\WINDOWS\system32\mplink.bak
                C:\WINDOWS\system32\drivers\symavc32.sys) DO (
                IF EXIST %%g (
                ATTRIB -r -s -h %%g
                DEL %%g
                IF EXIST %%g (
                ECHO %%g not deleted>>log.txt
                ) ELSE (
                ECHO %%g deleted>>log.txt)
                ) ELSE (
                ECHO %%g not found>>log.txt))
                remove C:\WINDOWS\system32\mplink.bak C:\RVAXO\mplink.bak
                remove C:\WINDOWS\system32\mplink.dll C:\RVAXO\mplink.dll
                START NOTEPAD.EXE log.txt

                Ga naar Bestand - Opslaan als.
                Bij "Opslaan in" kies je: Bureaublad
                Bij "Bestandsnaam" zet je: del.bat
                Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
                Klik op de knop Opslaan.

                Dubbelklik op del.bat en post de inhoud van de logfile die opent.


                Bewaar de logfile.
                Herstart naar normale modus en post het nieuwe logje.

                Kijk nu ook even of je deze versie van Combofix downloaden kunt:


                Zo ja, maak daar een logje mee en post dat in je volgende bericht
                Last edited by smeenk; 05-03-08, 19:37.

                Comment


                • #9
                  Logje:

                  Deleting files
                  C:\WINDOWS\system32\fprot.sys not deleted
                  C:\WINDOWS\system32\drivers\Sgl31.sys not found
                  C:\WINDOWS\system32\mplink.dll not found
                  C:\WINDOWS\system32\mplink.bak not deleted
                  C:\WINDOWS\system32\drivers\symavc32.sys not found

                  Nieuwe versie Combofix-log:

                  ComboFix 08-03-05.1 - Administrator 2008-03-05 22:49:07.1 - NTFSx86
                  Microsoft Windows XP Professional 5.1.2600.0.1252.31.1043.18.263 [GMT 1:00]
                  Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\ComboFix.exe

                  WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
                  .
                  ADS - svchost.exe: deleted 28160 bytes in 1 streams.

                  (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
                  .

                  C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
                  C:\WINDOWS\system\hipsrv.mm
                  C:\WINDOWS\system32\Cache
                  C:\WINDOWS\system32\drivers\NdisWon.sys
                  C:\WINDOWS\system32\drivers\symavc32.sys

                  .
                  ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

                  .
                  -------\LEGACY_NDISWON
                  -------\LEGACY_SGL31
                  -------\LEGACY_SYMAVC32
                  -------\hipsrv


                  (((((((((((((((((((( Bestanden Gemaakt van 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))
                  .

                  2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
                  2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
                  2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
                  2008-03-01 20:08 . 2008-03-05 22:43 <DIR> d-------- C:\RVAXO
                  2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
                  2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
                  2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
                  2008-03-01 18:19 . 2008-03-01 18:19 86 --a------ C:\WINDOWS\wininit.ini
                  2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
                  2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                  2008-03-01 17:37 . 2008-02-24 02:13 409,841 --a------ C:\24022008277.jpg
                  2008-03-01 17:37 . 2008-02-24 02:14 394,897 --a------ C:\24022008278.jpg
                  2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
                  2008-02-28 15:15 . 2008-02-28 15:15 167,936 --a------ C:\WINDOWS\system32\drivers\Sgl31.sys
                  2008-02-28 15:15 . 2008-02-28 15:15 8,432 --a------ C:\WINDOWS\system32\fprot.sys
                  2008-02-28 15:14 . 2008-02-28 15:14 10,000 --a------ C:\WINDOWS\system32\badfile.rvaxo
                  2008-02-28 15:13 . 2008-03-01 16:35 4 --a------ C:\WINDOWS\c.pid
                  2008-02-28 15:11 . 2008-02-28 15:11 29 --a------ C:\WINDOWS\system32\uafgdqit.tmp
                  2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten
                  2008-02-22 20:04 . 2008-03-01 16:37 44 --a------ C:\WINDOWS\system32\svchost.t__
                  2008-02-22 20:01 . 2008-03-01 16:38 311 --a------ C:\WINDOWS\system32\winlogans.tmp
                  2008-02-12 18:37 . 2008-02-12 18:37 24,576 --a------ C:\WINDOWS\system32\win32.bad

                  .
                  ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
                  2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
                  2008-02-22 19:05 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
                  2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
                  2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
                  2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
                  2008-01-22 19:44 --------- d-----w C:\Program Files\Java
                  2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
                  .

                  ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  .
                  REGEDIT4
                  *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]

                  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]

                  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]

                  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
                  "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
                  "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
                  "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
                  "XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
                  "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
                  "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
                  "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
                  "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

                  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                  "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]
                  "Microsoft all"="C:\WINDOWS\mmall.exe" [ ]
                  "jkdfj94kgdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ]
                  "Jnskdfmf9eldfd"="C:\WINDOWS\TEMP\csrssc.exe" [ ]

                  C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
                  BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
                  Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

                  [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
                  "NoSetActiveDesktop"= 1 (0x1)
                  "NoActiveDesktopChanges"= 0 (0x0)

                  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
                  avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

                  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]
                  mplink.dll

                  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]
                  winlig32.dll

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                  "LightScribeService"=2 (0x2)
                  "Google Online Search Service"=2 (0x2)

                  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
                  "AntiVirusDisableNotify"=dword:00000001
                  "UpdatesDisableNotify"=dword:00000001

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                  "%windir%\\system32\\sessmgr.exe"=

                  R1 fprot;FT StarForce Protector;C:\WINDOWS\System32\fprot.sys [2008-02-28 15:15]
                  S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
                  S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]
                  S4 Google Online Search Service;Google Online Search Service;C:\WINDOWS\System32\winlagons.exe

                  .
                  **************************************************************************

                  catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                  Rootkit scan 2008-03-05 22:53:54
                  Windows 5.1.2600 NTFS

                  scannen van verborgen processen ...

                  scannen van verborgen autostart items ...

                  scannen van verborgen bestanden ...

                  Scan succesvol afgerond
                  verborgen bestanden: 0

                  **************************************************************************
                  .
                  ------------------------ Other Running Processes ------------------------
                  .
                  C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                  C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
                  C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
                  C:\WINDOWS\System32\devldr32.exe
                  c:\program files\panda software\panda antivirus 2007\WebProxy.exe
                  C:\WINDOWS\System32\imapi.exe
                  C:\Program Files\Panda Software\Panda Antivirus 2007\avtask.exe
                  .
                  **************************************************************************
                  .
                  Voltooingstijd: 2008-03-05 22:57:45 - machine was rebooted
                  ComboFix-quarantined-files.txt 2008-03-05 21:57:20
                  ComboFix2.txt 2008-03-05 18:20:05
                  Last edited by BobBrand1983; 05-03-08, 22:59.

                  Comment


                  • #10
                    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:


                    File::
                    C:\WINDOWS\wininit.ini
                    C:\24022008277.jpg
                    C:\24022008278.jpg
                    C:\WINDOWS\system32\drivers\Sgl31.sys
                    C:\WINDOWS\system32\fprot.sys
                    C:\WINDOWS\system32\badfile.rvaxo
                    C:\WINDOWS\c.pid
                    C:\WINDOWS\system32\uafgdqit.tmp
                    C:\WINDOWS\system32\svchost.t__
                    C:\WINDOWS\system32\winlogans.tmp
                    C:\WINDOWS\system32\win32.bad

                    Driver::
                    Google Online Search Service
                    fprot

                    Folder::
                    C:\RVAXO

                    Registry::
                    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]
                    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
                    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
                    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                    "Microsoft all"=-
                    "jkdfj94kgdftdf"=-
                    "Jnskdfmf9eldfd"=-
                    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]
                    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]




                    Sla dit op op je Bureaublad als CFScript.txt

                    Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



                    Dit zal ComboFix doen herstarten.
                    Start opnieuw op als daarom gevraagd wordt,
                    en post de inhoud van de Combofix.txt in je volgende antwoord.

                    Comment


                    • #11
                      ComboFix 08-03-05.1 - Administrator 2008-03-05 23:13:05.2 - NTFSx86
                      Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.330 [GMT 1:00]
                      Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combofix.exe
                      Command switches used :: C:\Documents and Settings\Administrator\Bureaublad\CFScript.txt
                      * Nieuw herstelpunt werd aangemaakt

                      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

                      FILE ::
                      C:\24022008277.jpg
                      C:\24022008278.jpg
                      C:\WINDOWS\c.pid
                      C:\WINDOWS\system32\badfile.rvaxo
                      C:\WINDOWS\system32\drivers\Sgl31.sys
                      C:\WINDOWS\system32\fprot.sys
                      C:\WINDOWS\system32\svchost.t__
                      C:\WINDOWS\system32\uafgdqit.tmp
                      C:\WINDOWS\system32\win32.bad
                      C:\WINDOWS\system32\winlogans.tmp
                      C:\WINDOWS\wininit.ini
                      .

                      (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
                      .

                      C:\24022008277.jpg
                      C:\24022008278.jpg
                      C:\RVAXO
                      C:\RVAXO\1a.reg
                      C:\RVAXO\3a.reg
                      C:\RVAXO\Fsd9mk4g.dll
                      C:\RVAXO\ie_updates3r.exe
                      C:\RVAXO\mmall.exe
                      C:\RVAXO\mplink.bak
                      C:\RVAXO\myalbum2007.zip
                      C:\RVAXO\qmgr0.dat
                      C:\RVAXO\RVAXO3
                      C:\RVAXO\spools.exe
                      C:\RVAXO\ssodl.reg
                      C:\RVAXO\sts.reg
                      C:\RVAXO\winlagons.exe
                      C:\WINDOWS\c.pid
                      C:\WINDOWS\system32\badfile.rvaxo
                      C:\WINDOWS\system32\drivers\Sgl31.sys
                      C:\WINDOWS\system32\fprot.sys
                      C:\WINDOWS\system32\svchost.t__
                      C:\WINDOWS\system32\uafgdqit.tmp
                      C:\WINDOWS\system32\win32.bad
                      C:\WINDOWS\system32\winlogans.tmp
                      C:\WINDOWS\wininit.ini

                      .
                      ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

                      .
                      -------\LEGACY_FPROT
                      -------\LEGACY_GOOGLE_ONLINE_SEARCH_SERVICE
                      -------\fprot
                      -------\Google Online Search Service


                      (((((((((((((((((((( Bestanden Gemaakt van 2008-02-05 to 2008-03-05 ))))))))))))))))))))))))))))))
                      .

                      2008-03-05 23:12 . 2008-03-05 23:14 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
                      2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
                      2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
                      2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
                      2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
                      2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
                      2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
                      2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
                      2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                      2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
                      2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

                      .
                      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
                      2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
                      2008-02-22 19:05 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
                      2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
                      2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
                      2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
                      2008-01-22 19:44 --------- d-----w C:\Program Files\Java
                      2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
                      .

                      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                      .
                      .
                      REGEDIT4
                      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3B010A1-A877-4CD7-BAB5-9EE8F9965E20}]

                      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]

                      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]

                      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
                      "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
                      "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
                      "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

                      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                      "APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
                      "XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
                      "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
                      "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
                      "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
                      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

                      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

                      C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
                      BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
                      Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

                      [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
                      "NoSetActiveDesktop"= 1 (0x1)
                      "NoActiveDesktopChanges"= 0 (0x0)

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
                      avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink]

                      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlig32]

                      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                      "LightScribeService"=2 (0x2)
                      "Google Online Search Service"=2 (0x2)

                      [HKEY_LOCAL_MACHINE\software\microsoft\security center]
                      "AntiVirusDisableNotify"=dword:00000001
                      "UpdatesDisableNotify"=dword:00000001

                      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                      "%windir%\\system32\\sessmgr.exe"=

                      S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
                      S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]

                      .
                      **************************************************************************

                      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                      Rootkit scan 2008-03-05 23:18:07
                      Windows 5.1.2600 NTFS

                      scannen van verborgen processen ...

                      scannen van verborgen autostart items ...

                      scannen van verborgen bestanden ...

                      Scan succesvol afgerond
                      verborgen bestanden: 0

                      **************************************************************************
                      .
                      ------------------------ Other Running Processes ------------------------
                      .
                      C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
                      C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
                      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                      C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
                      C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
                      C:\WINDOWS\System32\devldr32.exe
                      c:\program files\panda software\panda antivirus 2007\WebProxy.exe
                      C:\Program Files\MSN Messenger\usnsvc.exe
                      .
                      **************************************************************************
                      .
                      Voltooingstijd: 2008-03-05 23:25:37 - machine was rebooted
                      ComboFix-quarantined-files.txt 2008-03-05 22:25:20
                      ComboFix2.txt 2008-03-05 21:57:45
                      ComboFix3.txt 2008-03-05 18:20:05

                      Comment


                      • #12
                        TeaTimer van Spybot is actief, deze moet uitgeschakeld worden omdat deze wijzigingen met Hijackthis weer ongedaan gaat maken.

                        Spybot openen > Modus > Geavanceerde modus > Gereedschap > Resident > TeaTimer uitschakelen > PC Herstarten

                        Download het volgende naar je bureaublad:

                        Dubbelklik daarna op ResetTeaTimer.bat.
                        Dit zal de voorgaande items die je toegelaten hebt of geblokkeerd hebt via teatimer terug resetten.

                        Maak CFscript.txt even opnieuw aan en sleep deze over Combofix.exe zoals je dat eerder deed.
                        Post het nieuwe logje van Combofix tesamen met een nieuw logje van Hijackthis.
                        Vertel ook of er nog problemen zijn

                        Comment


                        • #13
                          Teatimer uitgezet --> Combofix-log:

                          ComboFix 08-03-05.1 - Administrator 2008-03-06 20:45:12.3 - NTFSx86
                          Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combofix.exe
                          Command switches used :: C:\Documents and Settings\Administrator\Bureaublad\CFScript.txt
                          * Nieuw herstelpunt werd aangemaakt

                          WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

                          FILE ::
                          C:\24022008277.jpg
                          C:\24022008278.jpg
                          C:\WINDOWS\c.pid
                          C:\WINDOWS\system32\badfile.rvaxo
                          C:\WINDOWS\system32\drivers\Sgl31.sys
                          C:\WINDOWS\system32\fprot.sys
                          C:\WINDOWS\system32\svchost.t__
                          C:\WINDOWS\system32\uafgdqit.tmp
                          C:\WINDOWS\system32\win32.bad
                          C:\WINDOWS\system32\winlogans.tmp
                          C:\WINDOWS\wininit.ini
                          .

                          (((((((((((((((((((( Bestanden Gemaakt van 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))
                          .

                          2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Program Files\Lavasoft
                          2008-03-01 20:14 . 2008-03-01 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
                          2008-03-01 20:10 . 2008-03-01 20:10 146,137 --a------ C:\RVAXO.reg
                          2008-03-01 20:07 . 2008-03-01 19:49 716,281 --a------ C:\WINDOWS\system32\RVAXO.bat
                          2008-03-01 20:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
                          2008-03-01 18:45 . 2008-03-01 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
                          2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
                          2008-03-01 17:52 . 2008-03-01 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
                          2008-03-01 17:20 . 2008-03-01 17:20 <DIR> d-------- C:\Program Files\Trend Micro
                          2008-02-23 00:00 . 2008-02-23 00:00 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

                          .
                          ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          2008-02-24 16:47 --------- d-----w C:\Program Files\MSN Messenger
                          2008-02-22 19:44 --------- d-----w C:\Program Files\Common Files\LightScribe
                          2008-02-12 19:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
                          2008-02-12 18:13 --------- d-----w C:\Program Files\LimeWire
                          2008-01-29 20:21 --------- d-----w C:\Program Files\PC Wizard 2008
                          2008-01-22 19:44 --------- d-----w C:\Program Files\Java
                          .

                          ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                          .
                          .
                          REGEDIT4
                          *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312]
                          "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
                          "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

                          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                          "APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2006-09-13 07:59 311296]
                          "XpDis0Conf"="C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe" [ ]
                          "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
                          "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
                          "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-14 17:37 196608]
                          "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

                          [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                          "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-09-07 13:00 13312]

                          C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
                          BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-08-31 13:04:14 1196032]
                          Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56 65588]

                          [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
                          "NoSetActiveDesktop"= 1 (0x1)
                          "NoActiveDesktopChanges"= 0 (0x0)

                          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
                          avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

                          [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                          "LightScribeService"=2 (0x2)
                          "Google Online Search Service"=2 (0x2)

                          [HKEY_LOCAL_MACHINE\software\microsoft\security center]
                          "AntiVirusDisableNotify"=dword:00000001
                          "UpdatesDisableNotify"=dword:00000001

                          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                          "%windir%\\system32\\sessmgr.exe"=

                          S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS
                          S3 Usblink;Usblink Driver;C:\WINDOWS\System32\Drivers\ulink.sys [2003-03-07 18:51]

                          .
                          **************************************************************************

                          catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                          Rootkit scan 2008-03-06 20:51:03
                          Windows 5.1.2600 NTFS

                          scannen van verborgen processen ...

                          scannen van verborgen autostart items ...

                          scannen van verborgen bestanden ...

                          Scan succesvol afgerond
                          verborgen bestanden: 0

                          **************************************************************************
                          .
                          ------------------------ Other Running Processes ------------------------
                          .
                          C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
                          C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
                          C:\WINDOWS\System32\devldr32.exe
                          c:\program files\panda software\panda antivirus 2007\WebProxy.exe
                          C:\WINDOWS\System32\imapi.exe
                          C:\WINDOWS\system32\rundll32.exe
                          .
                          **************************************************************************
                          .
                          Voltooingstijd: 2008-03-06 20:56:50 - machine was rebooted
                          ComboFix-quarantined-files.txt 2008-03-06 19:56:26
                          ComboFix2.txt 2008-03-05 22:25:38
                          ComboFix3.txt 2008-03-05 21:57:45
                          ComboFix4.txt 2008-03-05 18:20:05


                          HijackThis-log:

                          Logfile of Trend Micro HijackThis v2.0.2
                          Scan saved at 21:02:28, on 6-3-2008
                          Platform: Windows XP (WinNT 5.01.2600)
                          MSIE: Internet Explorer v6.00 (6.00.2600.0000)
                          Boot mode: Normal

                          Running processes:
                          C:\WINDOWS\System32\smss.exe
                          C:\WINDOWS\system32\winlogon.exe
                          C:\WINDOWS\system32\services.exe
                          C:\WINDOWS\system32\lsass.exe
                          C:\WINDOWS\system32\svchost.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
                          C:\WINDOWS\System32\svchost.exe
                          C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          C:\WINDOWS\system32\spoolsv.exe
                          C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
                          C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
                          C:\WINDOWS\System32\ctfmon.exe
                          C:\Program Files\MSN Messenger\MsnMsgr.Exe
                          C:\WINDOWS\System32\devldr32.exe
                          c:\program files\panda software\panda antivirus 2007\WebProxy.exe
                          C:\WINDOWS\explorer.exe
                          C:\Program Files\Internet Explorer\IEXPLORE.EXE
                          C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nucia.eu/forum/showthread.php?t=34998
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
                          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
                          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                          R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
                          O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                          O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                          O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
                          O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
                          O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
                          O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
                          O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
                          O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
                          O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
                          O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                          O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
                          O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                          O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
                          O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
                          O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
                          O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
                          O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
                          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
                          O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                          O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
                          O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
                          O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
                          O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
                          O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
                          O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                          O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                          O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                          O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
                          O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
                          O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
                          O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://80.127.203.59/ConnectComputer/nshelp.dll
                          O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
                          O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
                          O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
                          O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
                          O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
                          O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves.net/statics/Aurigma/ImageUploader4.cab
                          O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
                          O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
                          O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
                          O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
                          O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
                          O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

                          --
                          End of file - 7480 bytes

                          PC is erg traag.
                          Heb nog geen fout-meldingen of rare dingen gezien.

                          Comment


                          • #14
                            Open de map RVAXO op je bureaublad en dubbelklik Uninstall.cmd
                            Dit zal alles van RVAXO doen verwijderen.

                            Je Java software is verouderd.
                            Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
                            Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:
                            • Download Java Runtime Environment (JRE) 6u5 en bewaar het naar je Bureaublad.
                            • Sluit alle programma's die eventueel open zijn - Zeker je web browser!
                            • Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
                            • Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
                            • Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
                            • Herhaal dit tot alle oudere versies verdwenen zijn.
                            • Na het verwijderen van alle oudere versies, herstart je pc.
                            • Dubbelklik vervolgens op jre-6u5-windows-i586-p-s.exe op je Bureaublad om de nieuwste versie van Java te installeren.


                            Download ATF cleaner (mirror)(gemaakt door Atribune)

                            Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

                            Dubbelklik op ATF cleaner om het programma te starten.
                            Op het tabblad "Main", plaats je een vinkje bij Select All.
                            Klik op de knop Empty Selected.

                            Het volgende doen als je ook FireFox als browser hebt:
                            Klik op tabblad "Firefox", plaats een vinkje bij Select All.
                            Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                            (dit haalt het vinkje weer weg bij "Firefox saved passwords")
                            Klik op de knop Empty Selected.

                            Het volgende doen als je ook Opera als browser hebt:
                            Klik op tabblad "Opera", plaats een vinkje bij Select All.
                            Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                            Klik op de knop Empty Selected.
                            Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

                            Ga naar Start - Uitvoeren en geef hier het volgende in:
                            Combofix /U
                            Druk daarna op OK.
                            Let op: Er moet een spatie tussen Combofix en /U zitten.

                            Dit zal Combofix deïnstalleren.

                            Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                            Kijk hier hoe je je systeemherstel moet uitschakelen.
                            Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

                            Vertel of er verbetering is

                            Comment


                            • #15
                              PC is wel sneller geworden (zoals normaal) kan alleen geen afbeeldingen zien op internet.
                              Dat is volgens mij het enige manco nog.

                              Opgelost, bedankt voor de hulp en ik hou het even in de gaten nog, maar het ziet er voorlopig weer prima uit
                              Last edited by BobBrand1983; 08-03-08, 17:54.

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X