Mededeling

**smeenk** · 04-04-08, 15:45

Ga naar deze pagina: http://www.zonavirus.com/datos/desca...5/elibagla.asp
Helemaal onderaan klik je op de knop "Descargar ELIBAGLA 11.21"
Plaats dit bestand (EliBaglA.exe) op je bureaublad.
Dubbelklik erop om het programma te starten.
Controleer of naast Unidad dit staat: C:\
Onderaan moet je zorgen dat "Eliminar Ficheros Automaticamente" aangevinkt is.
Klik nu op de knop "Explorar" om de tool te laten scannen.

Post de inhoud van het bestandje C:\InfoSat.txt
Vervolgens klik je op de knop "Salir" om het programma af te sluiten.

**petervanbussel** · 04-04-08, 17:50

InfoSat.txt

Hier is 'ie dan:

Fri Apr 04 15:51:16 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.21
a "[email protected]". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Fri Apr 04 15:52:42 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 15762
Nº Total de Ficheros: 159323
Nº de Ficheros Analizados: 19415
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Groet, Peter

**smeenk** · 04-04-08, 18:21

Herstart de computer, als het goed is loopt het tooltje na de herstart nog een keer.
Post daarna het nieuwe logje van het tooltje.
Start het tooltje niet na de herstart, draai hem dan zelf nog een keer

**petervanbussel** · 04-04-08, 22:35

InfoSat.txt II

Beste Smeenk,

De tweede output:

Fri Apr 04 15:51:16 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.21
a "[email protected]". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Fri Apr 04 15:52:42 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 15762
Nº Total de Ficheros: 159323
Nº de Ficheros Analizados: 19415
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Fri Apr 04 18:44:35 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.
Por favor, envienos una muestra del fichero
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.21
a "[email protected]". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado.
Reinicie para Completar la Limpieza.

Fri Apr 04 18:44:42 2008
EliBagle v11.21 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 15750
Nº Total de Ficheros: 157877
Nº de Ficheros Analizados: 19416
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Groet, Peter

**smeenk** · 04-04-08, 22:49

Download Combofix.exe naar je bureaublad.
LET OP bij het opslaan, hernoem het als Combo-Fix.exe om op je Bureaublad op te slaan.

Dubbelklik dan op Combo-Fix.exe, accepteer de waarschuwing, de computer wordt gescant.
Post het log dat na enkele minuten wordt gemaakt.

**petervanbussel** · 04-04-08, 23:46

log.txt

Hallo Smeenk,

Dit is de logtekst van Combofix. EliBagle is trouwens nog 2 keer mee opgestart.

Groet, Peter

ComboFix 08-04-03.5 - Administrator 2008-04-04 23:17:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1216 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combo-Fix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA

(((((((((((((((((((( Bestanden Gemaakt van 2008-03-04 to 2008-04-04 ))))))))))))))))))))))))))))))
.

2008-04-04 17:53 . 2008-04-04 22:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-04-04 15:51 . 2008-04-04 15:51 <DIR> d-------- C:\Muestras
2008-04-04 15:08 . 2008-04-04 15:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:31 . 2006-10-11 04:04 688,128 --a------ C:\WINDOWS\system32\drivers\mdelk.exe
2008-04-03 17:30 . 2008-04-03 17:32 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-03 17:30 . 2006-10-11 04:04 688,128 --a------ C:\Temp\TPSMain.exe
2008-04-03 17:14 . 2008-04-03 17:41 <DIR> d-------- C:\Program Files\Ucalc
2008-04-03 17:14 . 1997-06-04 04:00 89,600 --a------ C:\WINDOWS\system32\GRID32.OCX
2008-04-03 17:13 . 2008-04-03 17:13 <DIR> d-------- C:\Temp\install
2008-04-03 17:06 . 2008-04-03 17:06 <DIR> d-------- C:\Temp\wz18b8
2008-04-03 17:03 . 2008-04-03 17:03 <DIR> d-------- C:\Program Files\Rockwool BestekService 2007
2008-04-03 16:54 . 2008-04-03 17:06 <DIR> d-------- C:\Program Files\Rockwool
2008-04-02 22:55 . 2008-04-02 22:55 <DIR> d-------- C:\Program Files\Smith Micro
2008-04-01 19:39 . 2008-04-01 19:39 268 --ah----- C:\sqmdata00.sqm
2008-04-01 19:39 . 2008-04-01 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-04-01 19:39 . 2008-04-01 19:39 172 --ah----- C:\sqmnoopt01.sqm
2008-04-01 19:39 . 2008-04-01 19:39 172 --ah----- C:\sqmdata01.sqm
2008-04-01 11:55 . 2008-04-01 12:42 <DIR> d-------- C:\Program Files\EPB-software Vlaanderen 1.1
2008-03-31 22:27 . 2008-03-31 22:27 32 --a------ C:\WINDOWS\termical.INI
2008-03-31 21:58 . 2004-08-12 16:56 926,904 --------- C:\WINDOWS\system32\TList7.ocx
2008-03-31 21:57 . 2008-03-31 22:06 <DIR> d-------- C:\Program Files\BuildDesk NL 3.3
2008-03-31 21:50 . 2008-03-31 22:25 <DIR> d-------- C:\Program Files\Termical
2008-03-31 21:45 . 2008-03-31 21:45 <DIR> d-------- C:\Program Files\Renocal
2008-03-31 21:45 . 2008-03-31 21:45 32 --a------ C:\WINDOWS\rc_setup.INI
2008-03-27 22:36 . 2008-03-27 22:36 <DIR> d-------- C:\Temp\abfg_sample
2008-03-24 15:15 . 2008-03-24 15:15 <DIR> d-------- C:\apachefriends
2008-03-23 15:59 . 2008-03-23 16:00 <DIR> d-------- C:\Temp\blindscanner
2008-03-23 00:07 . 2008-03-23 00:07 <DIR> d-------- C:\Program Files\Scanitto
2008-03-23 00:07 . 2008-03-23 15:57 <DIR> d-------- C:\Program Files\BlindScanner Pro
2008-03-23 00:07 . 2005-08-11 13:46 270,336 --a------ C:\WINDOWS\system32\EZTiff.dll
2008-03-23 00:07 . 2005-08-11 14:23 212,992 --a------ C:\WINDOWS\system32\Eztwain3.dll
2008-03-23 00:07 . 2005-08-09 02:33 151,552 --a------ C:\WINDOWS\system32\EZPng.dll
2008-03-23 00:07 . 2005-08-09 02:30 118,784 --a------ C:\WINDOWS\system32\EZGif.dll
2008-03-23 00:07 . 2005-08-11 13:46 106,496 --a------ C:\WINDOWS\system32\EZJpeg.dll
2008-03-23 00:07 . 2005-08-11 13:46 49,152 --a------ C:\WINDOWS\system32\EZPdf.dll
2008-03-21 19:40 . 2008-03-24 14:35 <DIR> d-------- C:\Temp\geobase
2008-03-21 17:21 . 2008-03-21 17:22 <DIR> d-------- C:\Temp\ap_ver7_upgrade
2008-03-21 17:20 . 2008-03-21 17:20 <DIR> d-------- C:\Temp\ap_ver8_upgrade
2008-03-21 17:01 . 2008-03-24 19:02 <DIR> d-------- C:\Temp\Adpeeps
2008-03-21 15:02 . 2008-03-25 21:47 <DIR> d-------- C:\Temp\cmsmadesimple-1.2.3
2008-03-21 14:43 . 2008-03-21 14:43 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-21 14:43 . 2008-03-30 02:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileZilla
2008-03-19 14:24 . 2008-04-01 22:23 <DIR> d-------- C:\Program Files\FreeCommander
2008-03-16 00:28 . 2008-03-16 00:29 973,588 --a------ C:\Temp\nl_NL.zip

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 19:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-03 15:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-03 15:28 --------- d-----w C:\Program Files\eMule
2008-03-31 19:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 16:31 --------- d-----w C:\Program Files\Wings
2008-03-25 20:21 --------- d-----w C:\Program Files\eclipse
2008-03-22 22:47 --------- d-----w C:\Program Files\Tools&Utils
2008-03-21 08:35 --------- d-----w C:\Program Files\Java
2008-03-13 22:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-03 21:42 --------- d-----w C:\Program Files\MSN Messenger
2008-03-03 20:58 --------- d-----w C:\Program Files\Windows Live
2008-03-03 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 20:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-03-02 13:47 --------- d-----w C:\Program Files\CrossLoop
2008-03-02 13:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MiKTeX
2008-03-02 13:01 --------- d-----w C:\Program Files\MiKTeX 2.7
2008-03-02 12:43 --------- d-----w C:\Program Files\TeXnicCenter
2008-02-28 23:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\RagTime
2008-02-26 20:51 --------- d-----w C:\Program Files\RagTime 6
2008-02-26 20:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\RagTime
2008-02-25 20:34 --------- d-----w C:\Program Files\JFritz
2008-02-25 20:30 --------- d-----w C:\Program Files\Common Files\Java
2008-02-25 11:29 --------- d-----w C:\Program Files\Monkey's Audio
2008-02-25 11:28 --------- d-----w C:\Program Files\Winamp
2008-02-24 20:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\JLC's Software
2008-02-21 17:53 --------- d-----w C:\Program Files\JLC's Software
2008-02-18 17:18 --------- d-----w C:\Program Files\WinPcap
2008-02-12 21:12 --------- d-----w C:\Program Files\Google
2008-02-11 20:31 --------- d-----w C:\Program Files\MsnSniffer
2008-02-11 20:26 --------- d-----w C:\Program Files\EtherDetect
2007-02-09 13:42 3,584 ----a-w C:\Documents and Settings\Peter\netcache.dat
2007-02-07 18:28 64,512 ---ha-w C:\Documents and Settings\Administrator\Application Data\rbap450.dll
2007-02-07 18:28 45,568 ---ha-w C:\Documents and Settings\Administrator\Application Data\plugin.dll
2007-02-07 18:28 103,424 ---ha-w C:\Documents and Settings\Administrator\Application Data\NUBZWTP.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1T ortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2T ortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3T ortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4T ortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5T ortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6T ortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7T ortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2006-03-14 15:33 86016]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 10:51 172032]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"TPSMain"="TPSMain.exe" [2004-06-28 14:55 266240 C:\WINDOWS\system32\TPSMain.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 17:32 761945]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:03 144384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 18:23 15961088 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-30 18:49 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-19 09:43 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 09:43 7397376]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2003-01-03 15:45 425984]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 11:39 225280]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 16:55 73728]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 19:22 262144]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 16:47 331776]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 11:45 241664]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-02-21 10:46 69632]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 14:36 32768]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-26 19:03 155648]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-26 19:03 118784]
"Gtz"="C:\Program Files\Postbank\Girotel Zakelijk 5.0\Gtz.exe" [2006-02-28 13:51 3550048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-13 11:00 1838592]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 01:00 126976]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 15:28 20480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:03 110592 C:\WINDOWS\system32\bthprops.cpl]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 20:51 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-04 23:19 579072]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 12:20 88203 C:\WINDOWS\AGRSMMSG.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-22 16:09 63712]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-08-11 12:33 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:03 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-04 23:17 219136]

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\
Adobe Acrobat Snelle start.lnk - C:\WINDOWS\Installer\{AC76BA86-1030-D700-7760-100000000002}\SC_Acrobat.exe [2007-03-27 22:10:13 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-08 13:35:48 155648]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-02 17:11:38 106496]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-26 22:33:14 389120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= D:\Data\Mijn documenten\Mijn afbeeldingen\Plaatjes\Trias Energetica.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= D:\Data\Mijn documenten\Mijn webs\OilPrice\oil_price.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= lvcodec2.dll
"MSVideo8"= VfWWDM32.dll
"MSVideo"= vfwwdm32.dll
"vidc.ffds"= ffdshow.ax
"VIDC.WMV3"= wmv9vcm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\PuTTY\\putty.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Designjet System Maintenance\\hp_dj_sme.exe"=
"C:\\Program Files\\Mamut\\Mamut.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\launch4j-tmp\\jfritz.exe"=
"C:\\xampp\\mysql\\bin\\mysqld.exe"=
"C:\\xampp\\apache\\bin\\apache.exe"=
"C:\\Program Files\\WinSCP3\\WinSCP.exe"=
"C:\\Program Files\\RagTime 6\\Win32\\RagTime 6.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 12:27]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2004-03-12 01:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 17:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 17:57]
R2 ISPMonitorSrv;ISP Monitor;C:\Program Files\ISP Monitor\ISPMonitorSrv.exe [2007-06-12 23:41]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 13:20]
R3 msloop;Stuurprogramma voor Microsoft Loopback-adapter;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 22:53]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys

S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys

S2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1999-12-17 11:08]
S2 SAUSBFW;PQI USB Card Reader/Writer Device Driver;C:\WINDOWS\system32\Drivers\sausbi.sys [2000-11-06 15:17]
S2 SAUSBHW;PQI USB Card Reader/Writer Firmware Loader;C:\WINDOWS\system32\Drivers\saldr.sys [2000-11-01 13:57]
S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2005-02-22 01:00]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 11:40]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys

S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\fpxpress.inf,PerUserstub
.
Inhoud van de 'Gedeelde Taken' map
"2008-04-04 21:30:06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F4302D23-CC0E-408B-8460-1262DB67A0EE}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 23:26:48
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
-> ?:\WINDOWS\System32\msutb.dll
-> ?:\WINDOWS\System32\msutb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Voltooingstijd: 2008-04-04 23:34:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 21:33:54
Pre-Run: 4,393,381,888 bytes beschikbaar
Post-Run: 4,374,736,896 bytes beschikbaar
.
2008-03-12 11:03:14 --- E O F ---

**smeenk** · 04-04-08, 23:59

Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:

Folder::
C:\WINDOWS\system32\drivers\downld
C:\Temp\wz18b8

File::
C:\WINDOWS\system32\drivers\mdelk.exe
C:\Temp\TPSMain.exe

Sla dit op op je Bureaublad als CFScript.txt

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord

Nog problemen?

**petervanbussel** · 05-04-08, 00:32

log.txt II

Beste Smeenk, nog laat bezig!

Hierbij de volgende log. Je vraagt: "nog problemen?"'. EliBagle is braaf, foutmelding "Geen geldige Win32-toepassing" verschijnt nog.

Groet, Peter

ComboFix 08-04-03.5 - Administrator 2008-04-05 0:08:13.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1466 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Administrator\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\Temp\TPSMain.exe
C:\WINDOWS\system32\drivers\mdelk.exe
.
TimedOut: progfile.dat

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\TPSMain.exe
C:\Temp\wz18b8
C:\Temp\wz18b8\K-Calc 2003 Setup.exe
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\31298344.exe
C:\WINDOWS\system32\drivers\downld\31314958.exe
C:\WINDOWS\system32\drivers\downld\31334686.exe
C:\WINDOWS\system32\drivers\downld\31351160.exe
C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA

(((((((((((((((((((( Bestanden Gemaakt van 2008-03-04 to 2008-04-04 ))))))))))))))))))))))))))))))
.

2008-04-04 17:53 . 2008-04-05 00:07 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-04-04 15:51 . 2008-04-04 15:51 <DIR> d-------- C:\Muestras
2008-04-04 15:08 . 2008-04-04 15:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:14 . 2008-04-03 17:41 <DIR> d-------- C:\Program Files\Ucalc
2008-04-03 17:14 . 1997-06-04 04:00 89,600 --a------ C:\WINDOWS\system32\GRID32.OCX
2008-04-03 17:13 . 2008-04-03 17:13 <DIR> d-------- C:\Temp\install
2008-04-03 17:03 . 2008-04-03 17:03 <DIR> d-------- C:\Program Files\Rockwool BestekService 2007
2008-04-03 16:54 . 2008-04-03 17:06 <DIR> d-------- C:\Program Files\Rockwool
2008-04-02 22:55 . 2008-04-02 22:55 <DIR> d-------- C:\Program Files\Smith Micro
2008-04-01 19:39 . 2008-04-01 19:39 268 --ah----- C:\sqmdata00.sqm
2008-04-01 19:39 . 2008-04-01 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-04-01 19:39 . 2008-04-01 19:39 172 --ah----- C:\sqmnoopt01.sqm
2008-04-01 19:39 . 2008-04-01 19:39 172 --ah----- C:\sqmdata01.sqm
2008-04-01 11:55 . 2008-04-01 12:42 <DIR> d-------- C:\Program Files\EPB-software Vlaanderen 1.1
2008-03-31 22:27 . 2008-03-31 22:27 32 --a------ C:\WINDOWS\termical.INI
2008-03-31 21:58 . 2004-08-12 16:56 926,904 --------- C:\WINDOWS\system32\TList7.ocx
2008-03-31 21:57 . 2008-03-31 22:06 <DIR> d-------- C:\Program Files\BuildDesk NL 3.3
2008-03-31 21:50 . 2008-03-31 22:25 <DIR> d-------- C:\Program Files\Termical
2008-03-31 21:45 . 2008-03-31 21:45 <DIR> d-------- C:\Program Files\Renocal
2008-03-31 21:45 . 2008-03-31 21:45 32 --a------ C:\WINDOWS\rc_setup.INI
2008-03-27 22:36 . 2008-03-27 22:36 <DIR> d-------- C:\Temp\abfg_sample
2008-03-24 15:15 . 2008-03-24 15:15 <DIR> d-------- C:\apachefriends
2008-03-23 15:59 . 2008-03-23 16:00 <DIR> d-------- C:\Temp\blindscanner
2008-03-23 00:07 . 2008-03-23 00:07 <DIR> d-------- C:\Program Files\Scanitto
2008-03-23 00:07 . 2008-03-23 15:57 <DIR> d-------- C:\Program Files\BlindScanner Pro
2008-03-23 00:07 . 2005-08-11 13:46 270,336 --a------ C:\WINDOWS\system32\EZTiff.dll
2008-03-23 00:07 . 2005-08-11 14:23 212,992 --a------ C:\WINDOWS\system32\Eztwain3.dll
2008-03-23 00:07 . 2005-08-09 02:33 151,552 --a------ C:\WINDOWS\system32\EZPng.dll
2008-03-23 00:07 . 2005-08-09 02:30 118,784 --a------ C:\WINDOWS\system32\EZGif.dll
2008-03-23 00:07 . 2005-08-11 13:46 106,496 --a------ C:\WINDOWS\system32\EZJpeg.dll
2008-03-23 00:07 . 2005-08-11 13:46 49,152 --a------ C:\WINDOWS\system32\EZPdf.dll
2008-03-21 19:40 . 2008-03-24 14:35 <DIR> d-------- C:\Temp\geobase
2008-03-21 17:21 . 2008-03-21 17:22 <DIR> d-------- C:\Temp\ap_ver7_upgrade
2008-03-21 17:20 . 2008-03-21 17:20 <DIR> d-------- C:\Temp\ap_ver8_upgrade
2008-03-21 17:01 . 2008-03-24 19:02 <DIR> d-------- C:\Temp\Adpeeps
2008-03-21 15:02 . 2008-03-25 21:47 <DIR> d-------- C:\Temp\cmsmadesimple-1.2.3
2008-03-21 14:43 . 2008-03-21 14:43 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-03-21 14:43 . 2008-03-30 02:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileZilla
2008-03-19 14:24 . 2008-04-01 22:23 <DIR> d-------- C:\Program Files\FreeCommander
2008-03-16 00:28 . 2008-03-16 00:29 973,588 --a------ C:\Temp\nl_NL.zip

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 19:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-03 15:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-03 15:28 --------- d-----w C:\Program Files\eMule
2008-03-31 19:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 16:31 --------- d-----w C:\Program Files\Wings
2008-03-25 20:21 --------- d-----w C:\Program Files\eclipse
2008-03-22 22:47 --------- d-----w C:\Program Files\Tools&Utils
2008-03-21 08:35 --------- d-----w C:\Program Files\Java
2008-03-13 22:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-03 21:42 --------- d-----w C:\Program Files\MSN Messenger
2008-03-03 20:58 --------- d-----w C:\Program Files\Windows Live
2008-03-03 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 20:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-03-02 13:47 --------- d-----w C:\Program Files\CrossLoop
2008-03-02 13:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MiKTeX
2008-03-02 13:01 --------- d-----w C:\Program Files\MiKTeX 2.7
2008-03-02 12:43 --------- d-----w C:\Program Files\TeXnicCenter
2008-02-28 23:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\RagTime
2008-02-26 20:51 --------- d-----w C:\Program Files\RagTime 6
2008-02-26 20:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\RagTime
2008-02-25 20:34 --------- d-----w C:\Program Files\JFritz
2008-02-25 20:30 --------- d-----w C:\Program Files\Common Files\Java
2008-02-25 11:29 --------- d-----w C:\Program Files\Monkey's Audio
2008-02-25 11:28 --------- d-----w C:\Program Files\Winamp
2008-02-24 20:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\JLC's Software
2008-02-21 17:53 --------- d-----w C:\Program Files\JLC's Software
2008-02-18 17:18 --------- d-----w C:\Program Files\WinPcap
2008-02-12 21:12 --------- d-----w C:\Program Files\Google
2008-02-11 20:31 --------- d-----w C:\Program Files\MsnSniffer
2008-02-11 20:26 --------- d-----w C:\Program Files\EtherDetect
2007-02-09 13:42 3,584 ----a-w C:\Documents and Settings\Peter\netcache.dat
2007-02-07 18:28 64,512 ---ha-w C:\Documents and Settings\Administrator\Application Data\rbap450.dll
2007-02-07 18:28 45,568 ---ha-w C:\Documents and Settings\Administrator\Application Data\plugin.dll
2007-02-07 18:28 103,424 ---ha-w C:\Documents and Settings\Administrator\Application Data\NUBZWTP.DLL
.

((((((((((((((((((((((((((((( [email protected]_23.33.37.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-04 21:25:55 12,362 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-04 22:13:03 12,362 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-04 22:13:03 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_26c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1T ortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2T ortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3T ortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4T ortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5T ortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6T ortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7T ortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-06-09 13:42 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2006-03-14 15:33 86016]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 10:51 172032]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"TPSMain"="TPSMain.exe" [2004-06-28 14:55 266240 C:\WINDOWS\system32\TPSMain.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 17:32 761945]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:03 144384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 18:23 15961088 C:\WINDOWS\RTHDCPL.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-30 18:49 282624]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-19 09:43 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 09:43 7397376]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [2003-01-03 15:45 425984]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 11:39 225280]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 16:55 73728]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 19:22 262144]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 16:47 331776]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 11:45 241664]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2006-02-21 10:46 69632]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 14:36 32768]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-26 19:03 155648]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-26 19:03 118784]
"Gtz"="C:\Program Files\Postbank\Girotel Zakelijk 5.0\Gtz.exe" [2006-02-28 13:51 3550048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-13 11:00 1838592]
"DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 01:00 126976]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 15:28 20480]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:03 110592 C:\WINDOWS\system32\bthprops.cpl]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 20:51 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-04 23:19 579072]
"AGRSMMSG"="AGRSMMSG.exe" [2005-09-09 12:20 88203 C:\WINDOWS\AGRSMMSG.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-22 16:09 63712]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2004-08-11 12:33 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:03 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-04 23:17 219136]

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\
Adobe Acrobat Snelle start.lnk - C:\WINDOWS\Installer\{AC76BA86-1030-D700-7760-100000000002}\SC_Acrobat.exe [2007-03-27 22:10:13 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-17 10:45:32 618557]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-08 13:35:48 155648]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-02 17:11:38 106496]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-26 22:33:14 389120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= D:\Data\Mijn documenten\Mijn afbeeldingen\Plaatjes\Trias Energetica.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= D:\Data\Mijn documenten\Mijn webs\OilPrice\oil_price.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= lvcodec2.dll
"MSVideo8"= VfWWDM32.dll
"MSVideo"= vfwwdm32.dll
"vidc.ffds"= ffdshow.ax
"VIDC.WMV3"= wmv9vcm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\PuTTY\\putty.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Designjet System Maintenance\\hp_dj_sme.exe"=
"C:\\Program Files\\Mamut\\Mamut.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\launch4j-tmp\\jfritz.exe"=
"C:\\xampp\\mysql\\bin\\mysqld.exe"=
"C:\\xampp\\apache\\bin\\apache.exe"=
"C:\\Program Files\\WinSCP3\\WinSCP.exe"=
"C:\\Program Files\\RagTime 6\\Win32\\RagTime 6.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=

R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 12:27]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2004-03-12 01:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 17:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 17:57]
R2 ISPMonitorSrv;ISP Monitor;C:\Program Files\ISP Monitor\ISPMonitorSrv.exe [2007-06-12 23:41]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 13:20]
R3 msloop;Stuurprogramma voor Microsoft Loopback-adapter;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 22:53]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys

S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys

S2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1999-12-17 11:08]
S2 SAUSBFW;PQI USB Card Reader/Writer Device Driver;C:\WINDOWS\system32\Drivers\sausbi.sys [2000-11-06 15:17]
S2 SAUSBHW;PQI USB Card Reader/Writer Firmware Loader;C:\WINDOWS\system32\Drivers\saldr.sys [2000-11-01 13:57]
S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2005-02-22 01:00]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 11:40]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys

S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\fpxpress.inf,PerUserstub
.
Inhoud van de 'Gedeelde Taken' map
"2008-04-04 21:30:06 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F4302D23-CC0E-408B-8460-1262DB67A0EE}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 00:13:37
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
-> ?:\WINDOWS\System32\msutb.dll
-> ?:\WINDOWS\System32\msutb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Voltooingstijd: 2008-04-05 0:20:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 22:20:28
ComboFix2.txt 2008-04-04 21:34:03
Pre-Run: 4,342,996,992 bytes beschikbaar
Post-Run: 4,318,478,336 bytes beschikbaar
.
2008-03-12 11:03:14 --- E O F ---

**petervanbussel** · 05-04-08, 00:44

Tukkie doen

Beste Smeenk,

Ik ga nu toch maar slapen. Alvast bedankt voor alle hulp. Ik kijk uit naar de volgende aanwijzing. Tot morgen?

Welterusten, Peter

**smeenk** · 05-04-08, 08:02

Ga naar Start - Uitvoeren en geef daar de volgende regel in:
Combofix /u
Druk op OK.
Combofix wordt dan verwijderd(let op er moet een spatie tussen Combofix en /u zitten.

Download Malwarebytes' Anti-Malware op je bureaublad.
Dubbelklik mbam-setup.exe en kies voor "Next" om de tool te installeren.
Als de installatie voltooid is zet je vinkjes bij "Update MalwareBytes' Anti-Malware" en bij "Launch MalwareBytes' Anti-Malware".
Druk daarna op "Finish".
Kies in het hoofdscherm voor de tab "Scanner" en selecteer het keuzerondje "Perform full scan".
Druk op de knop "Scan" en zorg dat al je harde schijven/partities aangevinkt staan.
Druk dan op de knop "Start Scan".
Wanneer de scan voltooid is klik je op OK, daarna op "Show Results" om de resultaten te zien.
Zorg ervoor dat alles aangevinkt is, klik daarna op "Remove Selected".
Als het programma je computer wil laten herstarten, sta je dit toe.
Daarna opent een logje(mbam-log-XX-XX-XXXX(xx-xx-xx).txt)
Post deze log in je volgende bericht tesamen met een logje van Hijackthis

**petervanbussel** · 05-04-08, 10:43

mbam-log

Hoi Smeenk,

Je was er weer vroeg bij, vanmorgen.

Zie mbam-log hieronder. HijackThis geeft nog steeds foutmelding "Geen geldige Win32-toepassing".

Groet, Peter

Malwarebytes' Anti-Malware 1.10
Database versie: 592

Scan type: Volledige Scan (C:\|D:\|F:\|)
Objecten gescand: 240805
Verstreken tijd: 59 minute(s), 28 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01e69986-a054-4c52-abe8-ef63df1c5211} (Adware.Softomate) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

**smeenk** · 05-04-08, 10:50

Probeer dit eens:

Download Dr.Web CureIt en sla het op je bureaublad op.

Dubbelklik drweb-cureit.exe en sta het toe om te express scan te starten.
Indien er een popup verschijnt met het voorstel tot kopen/50% korting mag je deze sluiten.
De express scan zal de bestanden scannen die momenteel in het geheugen geladen zijn. Wanneer er iets gevonden wordt klik op 'alles selecteren' kies nu voor 'repareren' en uit het kleine menutje dat verschijnt kies je 'verplaatsen'.
Kies bovenaan in het menu voor Language/Taal en wijzig deze naar Dutch (Nederlands) indien deze bij jou anders staat ingesteld.
Druk op F9, kies daarna voor het tabblad Acties en stel daar het volgende in onder Malware:
- Adware: Verplaats
- Dialers: Verplaats
- Jokes: Rapportage
- Riskware: Rapportage
- Hacktools: Verplaats
- Haal dan het vinkje weg bij 'Prompt bij actie'.
Kies daarna voor het tabblad Scan en verwijder het vinkje bij Heuristische analyse.
Druk vervolgens op Toepassen gevolgd door OK.
Eenmaal als de korte scan is beëindigd vink je aan: Volledige scan.
Druk daarna op het groene pijltje (start knop) om de scan te starten.
Gevonden bestanden worden naar '%USERPROFILE%\DocterWeb\Quarantine' -map verplaatst indien het herstellen niet mogelijk is.
Nadat de scan gedaan is ga dan naar Bestand en kies Rapportage lijst opslaan.
Bewaar deze op je bureaublad en sluit daarna Dr.Web CureIt.
Herstart vervolgens de computer!! Dit is een belangrijke stap want het kan zijn dat Dr.Web CureIt bestanden zal verplaatsen/verwijderen tijdens herstart.

Post het logje van Dr.Web CureIt en probeer ook weer een logje van Hijackthis

**petervanbussel** · 05-04-08, 16:24

DrWeb.csv

Beste Smeenk,

Toen ik DrWeb wilde sluiten werd gevraagd of ik met gevonden bestanden actie wilde verrichten. Heb toen alles geselecteerd en herstellen aangevinkt. Daarna afgesloten. Geen Zichtbare acties na opnieuw opstarten. HijackThis gaat nog steeds niet.

Groet, Peter

00607513.FIL C:\$VAULT$.AVG Win32.HLLM.Beagle Verwijderd.
00614914.FIL C:\$VAULT$.AVG Win32.HLLM.Beagle Verwijderd.
06885060.FIL C:\$VAULT$.AVG Win32.HLLM.Beagle Verwijderd.
40355908.FIL C:\$VAULT$.AVG BackDoor.Graybird Verwijderd.
VNCHooks.dll C:\Program Files\CrossLoop Program.RemoteAdmin
winvnc.exe C:\Program Files\CrossLoop Program.RemoteAdmin
VBAOL11.CHM\html/olobjAddressEntries.htm C:\Program Files\Microsoft Office\OFFICE11\1043\VBAOL11.CHM Modificatie van VBS.Petik
VBAOL11.CHM C:\Program Files\Microsoft Office\OFFICE11\1043 Archief bevat geinfecteerde objecten Verplaatst.
MsnSniffer.exe C:\Program Files\MsnSniffer Tool.MSNSniffer Verplaatst.
Process.exe C:\Program Files\smitRem Tool.Prockill Verplaatst.
pv.exe C:\Program Files\smitRem Program.PrcView.3741
A0000317.exe C:\System Volume Information\_restore{DBEB01A1-6FC9-4664-B888-E23365CA7751}\RP5 Tool.MSNSniffer Verplaatst.
A0000318.exe C:\System Volume Information\_restore{DBEB01A1-6FC9-4664-B888-E23365CA7751}\RP5 Tool.Prockill Verplaatst.
IEXPLORE.EXE C:\WINDOWS\$NtUninstallKB887742$ Trojan.Click.3703 Verwijderd.
pv.exe C:\xampp\apache\bin Program.PrcView.3725

**smeenk** · 05-04-08, 20:57

Werkt je normale virusscanner inmiddels al wel weer?
Laat deze dan eens een scan doen.

Mededeling

Geen geldige Win32-toepassing

Geen geldige Win32-toepassing

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment