Mededeling

Collapse
No announcement yet.

BSOD's 0X0000008E

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • BSOD's 0X0000008E

    Ik heb een paar maanden geleden nieuw RAM-geheugen en een nieuwe videokaart gekocht (3x 1GB DDR333 en Nvidia 7600GT), en rond dezelfde tijd had ik erg veel last van spyware, trojans, enz... Sinds dat die nieuwe dingen in mijn pc zaten, begon ik BSOD's te krijgen met de foutcode 0X0000008E (0X80000003, 0XF8909567, 0XF8951D90, 0X00000000). Dit gebeurde bij verschillende activiteiten; grote downloads van internet, bij gebruik van limewire en andere p2p programma's, bij het kijken van DiVX of youtube filmpjes, enz... Na het heropstarten na de BSOD komt er een melding die zegt "Uw systeem is herstelt van een ernstige fout" en kan ik een rapport verzenden naar Microsoft. Ik heb dit al verschillende keren gedaan, en volgens de pagina die na het verzenden komt, heb ik een probleem met een driver van een hardware-toestel.

    Ik heb alles al geprobeerd, verschillende combinaties van RAM-plaatjes, mijn oude videokaart terugsteken, enz... Op dit moment steken mijn oude RAM-plaatjes en videokaart er terug in (2x 256MB DDR266 en GeForce 4 Ti), die nooit problemen gaven vroeger, en nu heb ik nog steeds BSOD's. Wat ik heb gezien in een Combofix logje, is dat tcpip.sys geïnfecteerd is. Volgens mij hebben de BSOD's hier iets mee te maken. Ik heb Combofix al verschillende keren laten lopen, maar de tcpip.sys boodschap blijft telkens in de logjes staan. Ik hoop dat jullie me kunnen helpen... Voor de rest heb ik trouwens niet echt problemen met mijn pc, soms een beetje traag, maar over het algemeen valt het goed mee.

    Hierbij een HJT en Combofix logje:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:38:19, on 17/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\lxczcoms.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://breedband.telenet.be
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O1 - Hosts: 67.18.156.46 chat.downabeer.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/SP.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcaller.com/VaxSIPUserAgentCAB.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    --
    End of file - 5347 bytes



    ComboFix 08-03-14.4 - chrzz 2008-03-17 12:21:13.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.280 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\chrzz\Bureaublad\ComboFix.exe

    WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-02-17 to 2008-03-17 ))))))))))))))))))))))))))))))
    .

    2008-03-16 23:46 . 2008-03-16 23:46 <DIR> d-------- C:\Program Files\My-Proxy
    2008-03-16 23:44 . 2008-03-16 23:45 <DIR> d-------- C:\WINDOWS\vf_hip
    2008-03-16 23:44 . 2008-03-16 23:44 <DIR> d-------- C:\Program Files\Hide IP Platinum
    2008-03-16 20:36 . 2008-03-16 20:36 <DIR> d-------- C:\Program Files\Cedelia
    2008-03-16 14:17 . 2008-03-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
    2008-03-16 14:14 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
    2008-03-16 14:14 . 2008-03-17 12:05 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
    2008-03-16 14:14 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
    2008-03-16 14:13 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
    2008-03-14 09:58 . 2008-03-14 09:58 <DIR> d--hs---- C:\found.001
    2008-03-13 12:47 . 2008-03-13 12:51 <DIR> d-------- C:\Program Files\xp-AntiSpy
    2008-03-08 06:17 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
    2008-03-08 06:17 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
    2008-03-08 06:17 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
    2008-03-08 06:17 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
    2008-03-08 06:17 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
    2008-03-08 06:17 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
    2008-03-08 06:17 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
    2008-03-08 06:17 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
    2008-03-08 06:17 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
    2008-03-05 05:22 . 2008-03-05 05:22 <DIR> d-------- C:\Program Files\txtPro
    2008-03-05 05:10 . 2008-03-05 05:30 <DIR> d-------- C:\temp
    2008-03-02 02:13 . 2008-01-02 02:13 32 -ra------ C:\Documents and Settings\All Users\hash.dat
    2008-03-02 02:04 . 2008-03-02 02:13 <DIR> d-------- C:\Documents and Settings\chrzz\Application Data\yoclient
    2008-02-24 15:08 . 2008-02-24 15:08 <DIR> d-------- C:\Program Files\Cheetah Burner
    2008-02-24 15:08 . 2005-11-14 04:23 1,228,800 --a------ C:\WINDOWS\system32\FoxBurner.ocx
    2008-02-24 15:08 . 2003-12-17 15:00 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
    2008-02-24 15:08 . 2007-07-31 11:57 1,164,728 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
    2008-02-24 15:08 . 2004-02-08 15:53 856,064 --a------ C:\WINDOWS\system32\mpgfiltr.ax
    2008-02-24 15:08 . 2005-01-18 23:44 454,656 --a------ C:\WINDOWS\system32\FoxDVDImager.ocx
    2008-02-24 15:08 . 2002-03-25 02:03 380,928 --a------ C:\WINDOWS\system32\CDRipperX.ocx
    2008-02-24 15:08 . 2005-01-18 23:18 323,584 --a------ C:\WINDOWS\system32\FoxImager.dll
    2008-02-24 15:08 . 2007-04-06 00:08 196,608 --a------ C:\WINDOWS\system32\VideoEdit.ocx
    2008-02-24 15:08 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
    2008-02-24 15:08 . 2003-08-19 04:31 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-16 21:22 --------- d-----w C:\Program Files\Warcraft III
    2008-03-16 13:55 --------- d-----w C:\Program Files\Steam
    2008-03-13 12:21 --------- d-----w C:\Program Files\mIRC
    2008-03-13 10:11 --------- d-----w C:\Documents and Settings\chrzz\Application Data\VoipStunt
    2008-03-09 10:58 --------- d-----w C:\Program Files\World of Warcraft
    2008-02-29 02:01 --------- d-----w C:\Program Files\WC3Banlist
    2008-02-27 20:15 --------- d-----w C:\Program Files\LimeWire
    2008-02-24 14:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-01 02:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
    2008-01-19 20:25 --------- d-----w C:\Program Files\Common Files\Adobe
    2007-10-28 13:44 2 --shatr C:\WINDOWS\winstart.bat
    .
    C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
    401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\dllcache\TCPIP.SYS
    401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\drivers\TCPIP.SYS
    401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL


    ------- Sigcheck -------

    2007-11-09 19:07 401408 a089e0c3b33487af4173c3749ed51e91 C:\WINDOWS\system32\dllcache\TCPIP.SYS
    2007-11-09 19:07 401408 a089e0c3b33487af4173c3749ed51e91 C:\WINDOWS\system32\drivers\TCPIP.SYS
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
    "VoipStunt"="C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" [2007-07-11 15:22 7394608]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
    "SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
    "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
    C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    --a------ 2007-04-02 09:35 327720 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    --a------ 2007-02-08 23:56 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
    --a------ 2007-02-08 23:53 74672 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-08-04 00:15 1667584 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
    C:\WINDOWS\system32\regscan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\server.exe]
    C:\WINDOWS\server.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    C:\Program Files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2007-11-30 16:22 1266936 c:\program files\steam\steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
    --a------ 2007-07-11 15:22 7394608 C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
    --a------ 2007-03-07 12:46 81920 C:\Program Files\WebcamMax\CAMTHINS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    C:\Program Files\Save\Save.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "AresChatServer"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "AntiVirService"=2 (0x2)
    "AntiVirScheduler"=2 (0x2)
    "aawservice"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\VoipStunt.com\\VoipStunt\\voipstunt.exe"=
    "C:\\Program Files\\uTorrent\\utorrent.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\MSN Gaming Zone\\Windows\\chkrzm.exe"=
    "C:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

    R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2007-01-11 06:39]
    R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 23:50]
    R3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 10:14]
    S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2006-08-24 09:06]
    S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 09:54]
    S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 15:49]

    .
    Inhoud van de 'Gedeelde Taken' map
    "2008-03-14 17:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-17 12:23:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen ...

    scannen van verborgen autostart items ...

    scannen van verborgen bestanden ...

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-03-17 12:25:01
    ComboFix-quarantined-files.txt 2008-03-17 11:24:39
    ComboFix2.txt 2008-03-16 23:14:12
    ComboFix3.txt 2007-11-09 18:19:35
    .
    2007-11-17 12:50:25 --- E O F ---

  • #2
    Ik kijk even voor je
    Groet,
    Pimmerd

    Comment


    • #3
      Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:

      Fcopy::
      C:\WINDOWS\system32\drivers\tcpip.sys|C:\WINDOWS\system32\dllcache\TCPIP.SYS

      Folder::
      C:\found.001
      C:\Program Files\Save

      File::
      C:\WINDOWS\system32\regscan.exe
      C:\WINDOWS\server.exe
      C:\WINDOWS\winstart.bat

      Registry::
      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\server.exe]
      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

      Driver::
      Partizan


      Sla dit op op je Bureaublad als CFScript.txt

      Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



      Dit zal ComboFix doen herstarten.
      Start opnieuw op als daarom gevraagd wordt,
      en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.
      Groet,
      Pimmerd

      Comment


      • #4
        Bedankt voor het antwoord.
        Hierbij de logjes:

        ComboFix 08-03-14.4 - chrzz 2008-03-17 23:24:04.6 - NTFSx86
        Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.270 [GMT 1:00]
        Gestart vanuit: C:\Documents and Settings\chrzz\Bureaublad\ComboFix.exe
        Command switches used :: C:\Documents and Settings\chrzz\Bureaublad\CFScript.txt
        * Nieuw herstelpunt werd aangemaakt

        WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

        FILE ::
        C:\WINDOWS\server.exe
        C:\WINDOWS\system32\regscan.exe
        C:\WINDOWS\winstart.bat
        .

        (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        C:\found.001
        C:\found.001\file0000.chk
        C:\WINDOWS\winstart.bat

        .
        --------------- FCopy ---------------

        C:\WINDOWS\system32\drivers\tcpip.sys --> C:\WINDOWS\system32\dllcache\TCPIP.SYS
        .
        ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        -------\LEGACY_PARTIZAN
        -------\Partizan


        (((((((((((((((((((( Bestanden Gemaakt van 2008-02-17 to 2008-03-17 ))))))))))))))))))))))))))))))
        .

        2008-03-16 23:46 . 2008-03-16 23:46 <DIR> d-------- C:\Program Files\My-Proxy
        2008-03-16 23:44 . 2008-03-16 23:45 <DIR> d-------- C:\WINDOWS\vf_hip
        2008-03-16 23:44 . 2008-03-16 23:44 <DIR> d-------- C:\Program Files\Hide IP Platinum
        2008-03-16 20:36 . 2008-03-16 20:36 <DIR> d-------- C:\Program Files\Cedelia
        2008-03-16 14:17 . 2008-03-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
        2008-03-16 14:14 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
        2008-03-16 14:14 . 2008-03-17 23:29 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
        2008-03-16 14:14 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
        2008-03-16 14:13 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
        2008-03-13 12:47 . 2008-03-13 12:51 <DIR> d-------- C:\Program Files\xp-AntiSpy
        2008-03-08 06:17 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
        2008-03-08 06:17 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
        2008-03-08 06:17 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
        2008-03-08 06:17 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
        2008-03-08 06:17 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
        2008-03-08 06:17 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
        2008-03-08 06:17 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
        2008-03-08 06:17 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
        2008-03-08 06:17 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
        2008-03-05 05:22 . 2008-03-05 05:22 <DIR> d-------- C:\Program Files\txtPro
        2008-03-05 05:10 . 2008-03-05 05:30 <DIR> d-------- C:\temp
        2008-03-02 02:13 . 2008-01-02 02:13 32 -ra------ C:\Documents and Settings\All Users\hash.dat
        2008-03-02 02:04 . 2008-03-02 02:13 <DIR> d-------- C:\Documents and Settings\chrzz\Application Data\yoclient
        2008-02-24 15:08 . 2008-02-24 15:08 <DIR> d-------- C:\Program Files\Cheetah Burner
        2008-02-24 15:08 . 2005-11-14 04:23 1,228,800 --a------ C:\WINDOWS\system32\FoxBurner.ocx
        2008-02-24 15:08 . 2003-12-17 15:00 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
        2008-02-24 15:08 . 2007-07-31 11:57 1,164,728 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
        2008-02-24 15:08 . 2004-02-08 15:53 856,064 --a------ C:\WINDOWS\system32\mpgfiltr.ax
        2008-02-24 15:08 . 2005-01-18 23:44 454,656 --a------ C:\WINDOWS\system32\FoxDVDImager.ocx
        2008-02-24 15:08 . 2002-03-25 02:03 380,928 --a------ C:\WINDOWS\system32\CDRipperX.ocx
        2008-02-24 15:08 . 2005-01-18 23:18 323,584 --a------ C:\WINDOWS\system32\FoxImager.dll
        2008-02-24 15:08 . 2007-04-06 00:08 196,608 --a------ C:\WINDOWS\system32\VideoEdit.ocx
        2008-02-24 15:08 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
        2008-02-24 15:08 . 2003-08-19 04:31 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll

        .
        ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2008-03-17 21:59 --------- d-----w C:\Program Files\Warcraft III
        2008-03-17 17:05 --------- d-----w C:\Program Files\Steam
        2008-03-17 13:13 --------- d-----w C:\Program Files\mIRC
        2008-03-17 12:42 --------- d-----w C:\Documents and Settings\chrzz\Application Data\VoipStunt
        2008-03-09 10:58 --------- d-----w C:\Program Files\World of Warcraft
        2008-02-29 02:01 --------- d-----w C:\Program Files\WC3Banlist
        2008-02-27 20:15 --------- d-----w C:\Program Files\LimeWire
        2008-02-24 14:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
        2008-01-19 20:25 --------- d-----w C:\Program Files\Common Files\Adobe
        .
        C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
        401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\dllcache\TCPIP.SYS
        401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\drivers\TCPIP.SYS
        401,408 2007-11-09 18:07:28 C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL


        ------- Sigcheck -------

        2007-11-09 19:07 401408 a089e0c3b33487af4173c3749ed51e91 C:\WINDOWS\system32\dllcache\TCPIP.SYS
        2007-11-09 19:07 401408 a089e0c3b33487af4173c3749ed51e91 C:\WINDOWS\system32\drivers\TCPIP.SYS
        .
        ((((((((((((((((((((((((((((( [email protected]_ 0.13.22,39 )))))))))))))))))))))))))))))))))))))))))
        .
        + 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
        .
        ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        REGEDIT4
        *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
        "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
        "VoipStunt"="C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" [2007-07-11 15:22 7394608]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [ ]
        "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
        "SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
        "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
        "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
        "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
        "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]

        [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]

        [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
        path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
        backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

        [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
        path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
        backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
        C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
        --a------ 2007-04-02 09:35 327720 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
        --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
        --a------ 2007-02-08 23:56 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
        --a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
        --a------ 2007-02-08 23:53 74672 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
        --------- 2004-08-04 00:15 1667584 C:\Program Files\Messenger\msmsgs.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
        --a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
        C:\Program Files\Skype\Phone\Skype.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
        --a------ 2007-11-30 16:22 1266936 c:\program files\steam\steam.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
        --a------ 2007-07-11 15:22 7394608 C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
        --a------ 2007-03-07 12:46 81920 C:\Program Files\WebcamMax\CAMTHINS.exe

        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
        "ose"=3 (0x3)
        "odserv"=3 (0x3)
        "AresChatServer"=3 (0x3)
        "Apple Mobile Device"=2 (0x2)
        "AntiVirService"=2 (0x2)
        "AntiVirScheduler"=2 (0x2)
        "aawservice"=2 (0x2)

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
        "EnableFirewall"= 0 (0x0)

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "C:\\Program Files\\VoipStunt.com\\VoipStunt\\voipstunt.exe"=
        "C:\\Program Files\\uTorrent\\utorrent.exe"=
        "C:\\Program Files\\LimeWire\\LimeWire.exe"=
        "C:\\Program Files\\MSN Gaming Zone\\Windows\\chkrzm.exe"=
        "C:\\Program Files\\World of Warcraft\\Launcher.exe"=
        "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

        R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2007-01-11 06:39]
        R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 23:50]
        R3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 10:14]
        S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2006-08-24 09:06]
        S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 09:54]
        S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 15:49]

        .
        Inhoud van de 'Gedeelde Taken' map
        "2008-03-14 17:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
        - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
        .
        **************************************************************************

        catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2008-03-17 23:29:35
        Windows 5.1.2600 Service Pack 2 NTFS

        scannen van verborgen processen ...

        scannen van verborgen autostart items ...

        scannen van verborgen bestanden ...

        Scan succesvol afgerond
        verborgen bestanden: 0

        **************************************************************************
        .
        ------------------------ Other Running Processes ------------------------
        .
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\WINDOWS\system32\RunDLL32.exe
        C:\WINDOWS\system32\imapi.exe
        .
        **************************************************************************
        .
        Voltooingstijd: 2008-03-17 23:32:13 - machine was rebooted
        ComboFix-quarantined-files.txt 2008-03-17 22:32:10
        ComboFix2.txt 2008-03-17 11:25:01
        ComboFix3.txt 2008-03-16 23:14:12
        ComboFix4.txt 2007-11-09 18:19:35
        .
        2007-11-17 12:50:25 --- E O F ---



        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 23:34:42, on 17/03/2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\system32\lxczcoms.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\WINDOWS\SOUNDMAN.EXE
        C:\WINDOWS\system32\RunDLL32.exe
        C:\Program Files\MSN Messenger\MsnMsgr.Exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe
        C:\WINDOWS\system32\imapi.exe
        C:\WINDOWS\system32\wuauclt.exe
        C:\WINDOWS\explorer.exe
        C:\WINDOWS\system32\notepad.exe
        C:\Program Files\internet explorer\iexplore.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://breedband.telenet.be
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
        O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
        O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
        O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
        O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
        O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
        O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
        O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
        O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/SP.cab
        O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
        O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://www.earthcaller.com/VaxSIPUserAgentCAB.cab
        O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
        O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
        O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
        O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
        O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
        O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
        O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
        O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
        O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

        --
        End of file - 5412 bytes

        Comment


        • #5
          bump

          Comment


          • #6
            Liever niet zo snel bumpen, ik zie je logje vanzelf wel als ik weer actief ben.

            Het probleem is dat je TCPIP.sys geinfecteerd is. In jou geval staat er geen legiem versie op je PC, dus moeten we een andere zien te krijgen. Heb je toevallig een Windows CD rom?
            Groet,
            Pimmerd

            Comment


            • #7
              Sorry voor de bump, het is gewoon erg frustrerend (youtube filmpje BSOD, verborgen .gif plaatje op een site BSOD, 5 minuten Counter-Strike BSOD, ..) en ik wil dit zo snel mogelijk opgelost hebben :P En ik zit in een instelling, waar ik morgen terug naartoe moet tot vrijdag, dus vandaar :P

              Ik heb een Windows CD-rom ja, maar er zijn redelijk veel kretsen op :P

              Comment


              • #8
                Op de Windows CD staat een mapje I386. Zoek deze op.
                Zoek daar het bestandje TCPIP.sys op en kopieer deze in de map:
                C:\WINDOWS\SYSTEM32\DRIVERS

                Laat me weten of het gelukt is en post daarna een nieuw Combofix logje.
                Groet,
                Pimmerd

                Comment


                • #9
                  Ik heb dit deze nacht geprobeert, maar het bestand op de cd was "TCPIP.SY_" genoemd, dus ik heb dat gekopieert naar de /system32/drivers map en hernoemd naar tcpip.sys, en daarna gereboot. Toen werkte mijn internet niet meer. Dus ik heb het terug vervangen met de "tcpip.sys" in de dllcache map, maar die is ook infected. Daarna heb ik geprobeert om allerlei versies van tcpip.sys van het internet te downloaden en die te gebruiken, maar helaas zegt combofix nog steeds dat het infected is.

                  Ik krijg nu ook telkens als ik met Combofix scan de volgende waarschuwing:

                  Ik heb al verschillende keren CHKDSK uitgevoerd, en de pc doet dit ook vanzelf als ik reboot, hij zegt dat de schijf gecontroleerd moet worden, dit heb ik ook al gedaan maar de boodschap blijft komen. Ook is mijn pc een stuk trager geworden. Ik vrees dat ik ga moeten formateren om dit nog te kunnen herstellen...

                  Hierbij een nieuw combofix logje:

                  ComboFix 08-03-14.4 - chrzz 2008-03-19 12:23:01.9 - NTFSx86
                  Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.255 [GMT 1:00]
                  Gestart vanuit: C:\Documents and Settings\chrzz\Bureaublad\ComboFix.exe

                  WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
                  .

                  (((((((((((((((((((( Bestanden Gemaakt van 2008-02-19 to 2008-03-19 ))))))))))))))))))))))))))))))
                  .

                  2008-03-19 03:12 . 2008-03-19 03:12 401,408 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
                  2008-03-19 02:35 . 2008-03-19 02:35 <DIR> d-------- C:\Program Files\WinISO
                  2008-03-19 01:41 . 2008-03-19 03:12 401,408 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
                  2008-03-16 23:46 . 2008-03-16 23:46 <DIR> d-------- C:\Program Files\My-Proxy
                  2008-03-16 23:44 . 2008-03-16 23:45 <DIR> d-------- C:\WINDOWS\vf_hip
                  2008-03-16 23:44 . 2008-03-16 23:44 <DIR> d-------- C:\Program Files\Hide IP Platinum
                  2008-03-16 20:36 . 2008-03-16 20:36 <DIR> d-------- C:\Program Files\Cedelia
                  2008-03-16 14:17 . 2008-03-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
                  2008-03-16 14:14 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
                  2008-03-16 14:14 . 2008-03-19 12:11 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
                  2008-03-16 14:14 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
                  2008-03-16 14:13 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
                  2008-03-13 12:47 . 2008-03-13 12:51 <DIR> d-------- C:\Program Files\xp-AntiSpy
                  2008-03-08 06:17 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
                  2008-03-08 06:17 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
                  2008-03-08 06:17 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
                  2008-03-08 06:17 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
                  2008-03-08 06:17 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
                  2008-03-08 06:17 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
                  2008-03-08 06:17 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
                  2008-03-08 06:17 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
                  2008-03-08 06:17 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
                  2008-03-05 05:22 . 2008-03-05 05:22 <DIR> d-------- C:\Program Files\txtPro
                  2008-03-05 05:10 . 2008-03-05 05:30 <DIR> d-------- C:\temp
                  2008-03-02 02:13 . 2008-01-02 02:13 32 -ra------ C:\Documents and Settings\All Users\hash.dat
                  2008-03-02 02:04 . 2008-03-02 02:13 <DIR> d-------- C:\Documents and Settings\chrzz\Application Data\yoclient
                  2008-02-24 15:08 . 2008-02-24 15:08 <DIR> d-------- C:\Program Files\Cheetah Burner
                  2008-02-24 15:08 . 2005-11-14 04:23 1,228,800 --a------ C:\WINDOWS\system32\FoxBurner.ocx
                  2008-02-24 15:08 . 2003-12-17 15:00 1,208,320 --a------ C:\WINDOWS\system32\PTxSCP.ocx
                  2008-02-24 15:08 . 2007-07-31 11:57 1,164,728 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
                  2008-02-24 15:08 . 2004-02-08 15:53 856,064 --a------ C:\WINDOWS\system32\mpgfiltr.ax
                  2008-02-24 15:08 . 2005-01-18 23:44 454,656 --a------ C:\WINDOWS\system32\FoxDVDImager.ocx
                  2008-02-24 15:08 . 2002-03-25 02:03 380,928 --a------ C:\WINDOWS\system32\CDRipperX.ocx
                  2008-02-24 15:08 . 2005-01-18 23:18 323,584 --a------ C:\WINDOWS\system32\FoxImager.dll
                  2008-02-24 15:08 . 2007-04-06 00:08 196,608 --a------ C:\WINDOWS\system32\VideoEdit.ocx
                  2008-02-24 15:08 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
                  2008-02-24 15:08 . 2003-08-19 04:31 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll

                  .
                  ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  2008-03-19 03:23 --------- d-----w C:\Program Files\Warcraft III
                  2008-03-17 17:05 --------- d-----w C:\Program Files\Steam
                  2008-03-17 13:13 --------- d-----w C:\Program Files\mIRC
                  2008-03-17 12:42 --------- d-----w C:\Documents and Settings\chrzz\Application Data\VoipStunt
                  2008-03-09 10:58 --------- d-----w C:\Program Files\World of Warcraft
                  2008-02-29 02:01 --------- d-----w C:\Program Files\WC3Banlist
                  2008-02-27 20:15 --------- d-----w C:\Program Files\LimeWire
                  2008-02-24 14:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
                  2008-02-01 02:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
                  2008-01-19 20:25 --------- d-----w C:\Program Files\Common Files\Adobe
                  .
                  C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
                  401,408 2008-03-19 02:12:29 C:\WINDOWS\system32\dllcache\TCPIP.SYS
                  401,408 2008-03-19 02:12:29 C:\WINDOWS\system32\drivers\TCPIP.SYS


                  ------- Sigcheck -------

                  2008-03-19 03:12 401408 4ee94d29d4688e21209e56e0312dbf04 C:\WINDOWS\system32\dllcache\TCPIP.SYS
                  2008-03-19 03:12 401408 4ee94d29d4688e21209e56e0312dbf04 C:\WINDOWS\system32\drivers\TCPIP.SYS
                  .
                  ((((((((((((((((((((((((((((( [email protected]_ 0.13.22,39 )))))))))))))))))))))))))))))))))))))))))
                  .
                  + 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
                  + 2007-08-08 15:34:33 205,384 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1043.dat
                  + 2007-08-08 15:34:33 205,384 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1043.dat.bak
                  .
                  ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                  .
                  .
                  REGEDIT4
                  *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

                  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
                  "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
                  "VoipStunt"="C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" [2007-07-11 15:22 7394608]

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                  "Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [ ]
                  "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
                  "SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
                  "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
                  "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
                  "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
                  "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]

                  [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
                  "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]

                  [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
                  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
                  backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

                  [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
                  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
                  backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
                  C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
                  --a------ 2007-04-02 09:35 327720 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
                  --a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
                  --a------ 2007-02-08 23:56 295856 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
                  --a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
                  --a------ 2007-02-08 23:53 74672 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
                  --------- 2004-08-04 00:15 1667584 C:\Program Files\Messenger\msmsgs.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                  --a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
                  C:\Program Files\Skype\Phone\Skype.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
                  --a------ 2007-11-30 16:22 1266936 c:\program files\steam\steam.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
                  --a------ 2007-07-11 15:22 7394608 C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxMoniter]
                  --a------ 2007-03-07 12:46 81920 C:\Program Files\WebcamMax\CAMTHINS.exe

                  [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
                  "ose"=3 (0x3)
                  "odserv"=3 (0x3)
                  "AresChatServer"=3 (0x3)
                  "Apple Mobile Device"=2 (0x2)
                  "AntiVirService"=2 (0x2)
                  "AntiVirScheduler"=2 (0x2)
                  "aawservice"=2 (0x2)

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
                  "EnableFirewall"= 0 (0x0)

                  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
                  "C:\\Program Files\\VoipStunt.com\\VoipStunt\\voipstunt.exe"=
                  "C:\\Program Files\\uTorrent\\utorrent.exe"=
                  "C:\\Program Files\\LimeWire\\LimeWire.exe"=
                  "C:\\Program Files\\MSN Gaming Zone\\Windows\\chkrzm.exe"=
                  "C:\\Program Files\\World of Warcraft\\Launcher.exe"=
                  "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

                  R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2007-01-11 06:39]
                  R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 23:50]
                  R3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851x.SYS [2002-04-04 10:14]
                  S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2006-08-24 09:06]
                  S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 09:54]
                  S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 15:49]

                  .
                  Inhoud van de 'Gedeelde Taken' map
                  "2008-03-14 17:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
                  - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
                  .
                  **************************************************************************

                  catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                  Rootkit scan 2008-03-19 12:25:28
                  Windows 5.1.2600 Service Pack 2 NTFS

                  scannen van verborgen processen ...

                  scannen van verborgen autostart items ...

                  scannen van verborgen bestanden ...

                  Scan succesvol afgerond
                  verborgen bestanden: 0

                  **************************************************************************
                  .
                  Voltooingstijd: 2008-03-19 12:26:44
                  ComboFix-quarantined-files.txt 2008-03-19 11:26:28
                  ComboFix2.txt 2008-03-19 02:22:40
                  ComboFix3.txt 2008-03-19 00:49:04
                  ComboFix4.txt 2008-03-17 22:32:14
                  ComboFix5.txt 2008-03-17 11:25:01
                  .
                  2007-11-17 12:50:25 --- E O F ---

                  Comment


                  • #10
                    Ik vrees dat je harde schijf het heeft begeven, aan gezien hij ook aangeeft sommige bestanden niet meer goed te kunnen lezen en een chkdsk uit te voeren. Plotselinge traagheid wordt namelijk ook veroorzaakt door een kapotte harde schijf.

                    Toch wil ik voor de zekerheid deze scan nog eens aanbieden:

                    Ga naar Kaspersky Online Scanner en klik onderaan op Accept.
                    Deze scanner werkt uitsluitend met Internet Explorer 6 en hoger !!
                    Het zou kunnen dat je aan de bovenkant van je scherm op een gele balk moet klikken om ActiveX bestanden die Kaspersky nodig heeft om te kunnen scannen te downloaden. Sta dit toe.
                    • Het programma begint nu met het downloaden van de laatste definitie files. Hierna klik je op Next.
                    • Klik vervolgens op de toets Scan Settings.
                      Onder de tekst Scan using the following antivirus database: kies je de tweede mogelijkheid: extended - protect your .....
                      Onder de tekst Scan options: zet je de twee vinkjes: Scan Archives .... en Scan Mail Bases ....
                    • Klik dan op de toets OK.
                    • Start nu het scannen door op de tekst My Computer te klikken.


                      Hou er rekening mee dat deze scan een tijdje in beslag neemt.
                    • Eenmaal de scan volledig is krijg je de gelegenheid om het scanrapport op te slaan.
                      Klik op de toets Save Report As te klikken. Sla het rapport op je Bureaublad op met als naam kavscan.txt

                    Post dit rapport in je volgende bericht.
                    Groet,
                    Pimmerd

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X