Mededeling

Collapse
No announcement yet.

explorer crashes + task manager disabled

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • explorer crashes + task manager disabled

    Hey,

    Ik heb hier een AlienWare laptop die Windows XP Pro SP2 draait. Probleem is dat na het opstarten explorer.exe crasht (zonder foutmeldingen), herstart, een paar seconden goed draait, dan weer crasht en reboot, en zo een stuk of 15 keer aan een stuk tot hij uiteindelijk crasht en het uiteindelijk voor bekeken houdt. Ctrl+Alt+Del geeft de melding "Task Manager has been disabled by your Administrator".

    Het probleem van de Task Manager heb ik kunnen oplossen via gpedit.msc, maar het explorer.exe probleem blijft. Ook na een Diagnostic Startup (via msconfig) blijft het probleem bestaan. Zelfs in Safe Mode is het probleem er nog steeds. Hij is er nu om een of andere reden voor de eerste keer mee opgehouden (in een Diagnostic Startup via msconfig), en daar heb ik gebruik van gemaakt om HijackThis, Ad-Aware en RootkitRevealer te draaien.

    Hieronder m'n HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:07:20, on 19/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [BEz0kS8N1M] C:\Documents and Settings\All Users\Application Data\czyxilqx\stkxoxsd.exe
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\S-1-5-21-1085031214-515967899-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O21 - SSODL: PrxComponent - {b32a9929-e79f-466b-80d5-e1b8ecc3985c} - (no file)
    O21 - SSODL: zip - {57c0c0ee-767a-4eae-ba33-c13a8914543f} - (no file)
    O21 - SSODL: omlbpkaw - {BBCCD338-97D5-4807-8864-DC8688BB15B7} - (no file)
    O21 - SSODL: pmsoarbf - {93E20A40-1EBA-442D-9511-486DB37E8045} - (no file)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    --
    End of file - 3712 bytes


    En hier de resultaten van RootkitRevealer:

    HKU\S-1-5-21-1085031214-515967899-839522115-500\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 10/5/2007 9:54 PM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAC* 4/14/2005 12:06 AM 0 bytes Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI* 4/14/2005 12:06 AM 0 bytes Key name contains embedded nulls (*)
    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\aaw2007log.xsl 6/21/2007 3:32 PM 13.11 KB Visible in Windows API, MFT, but not in directory index.
    C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\AdAware event.log 4/19/2008 4:06 PM 40 bytes Visible in Windows API, MFT, but not in directory index.


    Een scan met Ad-Aware levert vervolgens 6 hits:

    <?xml version="1.0" encoding="UTF-16"?>
    <Infections Comment="Created with Ad-Aware 2007">
    <Family:Adware.Agent>
    <Item ="Root: HKLM Path: software\microsoft\windows\currentversion\explorer\browser helper objects\{be2ed590-ca49-46b5-8cce-244fb2e0d1aa}"/>
    <Item ="Root: HKCR Path: msvps.msvpsapp"/>
    <Item ="Root: HKCR Path: msvps.msvpsapp"/>
    <Item ="Root: HKLM Path: software\microsoft\videoplugin Value: at"/>
    <Item ="Root: HKLM Path: software\microsoft\videoplugin"/>
    <Item ="Root: HKLM Path: software\microsoft\windows\currentversion\uninstall\webvideo"/>
    <Item ="Root: HKCR Path: appid\dlp.dll"/>
    <Item ="File: C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url"/>
    <Item ="File: C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url"/>
    <Item ="File: C:\Documents and Settings\Administrator\Favorites\Spyware&amp;Malware Protection.url"/>
    </Family:Adware.Agent>
    <Family:CoolWebSearch>
    <Item ="Root: HKCR Path: clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500_Classes\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500\software\microsoft\internet explorer\main Value: Use Search Asst Data: no"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500\software\microsoft\windows\currentversion\internet settings\zonemap\domains\i--search.com"/>
    </Family:CoolWebSearch>
    <Family:Holystic-Dialer>
    <Item ="Root: HKCR Path: clsid\{0b682cc1-fb40-4006-a5dd-99edd3c9095d}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500_Classes\clsid\{0b682cc1-fb40-4006-a5dd-99edd3c9095d}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500_Classes\hol5_vxiewer.full.1"/>
    </Family:Holystic-Dialer>
    <Family:JRaun>
    <Item ="Root: HKCR Path: clsid\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a}"/>
    </Family:JRaun>
    <Family:TIBBrowser>
    <Item ="Root: HKCR Path: clsid\{0656a137-b161-cadd-9777-e37a75727e78}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500_Classes\clsid\{0656a137-b161-cadd-9777-e37a75727e78}"/>
    <Item ="Root: HKU Path: S-1-5-21-1085031214-515967899-839522115-500\software\classes\clsid\{0656a137-b161-cadd-9777-e37a75727e78}"/>
    </Family:TIBBrowser>
    <Family:Win32.TrojanClicker>
    <Item ="Root: HKCR Path: clsid\{54645654-2225-4455-44a1-9f4543d34545}"/>
    </Family:Win32.TrojanClicker>
    </Infections>


    Volstaat de ingeboude removal van Ad-Aware hiervoor of gebruik ik best gespecialiseerde tools?
    Last edited by blaat; 19-04-08, 18:33.

  • #2
    Download: RVAXO.exe
    • Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    • Start de computer in veilige modus.
    • Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
      Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    • Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
    • Daarna zal je PC herstarten, laat hem nu weer in normale modus starten. Na de herstart opent het cmd-venster van RVAXO opnieuw.
      Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
    • Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
    • Post de inhoud van de logfile in je volgende bericht.

    Download Deckard's System Scanner naar je Bureaublad.
    • Sluit alle toepassingen en vensters.
    • Dubbelklik op dss.exe om het te activeren, en volg de aanwijzingen.
    • Wanneer de scan volledig is, zal een tekstbestand - main.txt - openen.
    • Kopieer (Ctrl+A gevolgd door Ctrl+C) en plak (Ctrl+V) de inhoud van main.txt in je volgende antwoord evenals extra.txt.

    Opmerking: Sommige firewalls kunnen waarschuwen dat sigcheck.exe probeert verbinding te maken met het internet
    - zorg dat sigcheck.exe toestemming krijgt om dit te doen !
    Tevens kan het gebeuren dat je Antivirus DSS als verdacht aangeeft, of zelfs probeert te verwijderen.
    Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de scan van DSS je Antivirus even uit te schakelen)

    Comment


    • #3
      Hier de resultaten van de tools. Ik moet er wel bij vertellen dat het "normaal opstarten" via msconfig staat ingesteld op Diagnostic, en dat dus vrijwel alle services uitgeschakeld zijn. Als je wil kan ik de test herdoen in Normal mode.

      RVAXO

      ---RVAXO.exe Updated: 2008-04-19---first run---
      Uninstallers:

      Files found:
      C:\WINDOWS\system32\OnmlnUtv.ini2
      C:\WINDOWS\system32\UxHjTvut.ini2
      C:\WINDOWS\a.bat
      C:\WINDOWS\bdn.com
      C:\WINDOWS\wininit.ini
      C:\WINDOWS\iTunesMusic.exe
      C:\WINDOWS\mssecu.exe
      C:\WINDOWS\system32akttzn.exe
      C:\WINDOWS\system32anticipator.dll
      C:\WINDOWS\system32awtoolb.dll
      C:\WINDOWS\system32bdn.com
      C:\WINDOWS\system32bsva-egihsg52.exe
      C:\WINDOWS\system32dpcproxy.exe
      C:\WINDOWS\system32emesx.dll
      C:\WINDOWS\[email protected]@@k.dll
      C:\WINDOWS\system32hoproxy.dll
      C:\WINDOWS\system32hxiwlgpm.dat
      C:\WINDOWS\system32hxiwlgpm.exe
      C:\WINDOWS\system32medup012.dll
      C:\WINDOWS\system32medup020.dll
      C:\WINDOWS\system32msgp.exe
      C:\WINDOWS\system32msnbho.dll
      C:\WINDOWS\system32mssecu.exe
      C:\WINDOWS\system32msvchost.exe
      C:\WINDOWS\system32mtr2.exe
      C:\WINDOWS\system32mwin32.exe
      C:\WINDOWS\system32netode.exe
      C:\WINDOWS\system32newsd32.exe
      C:\WINDOWS\system32ps1.exe
      C:\WINDOWS\system32psof1.exe
      C:\WINDOWS\system32psoft1.exe
      C:\WINDOWS\system32regc64.dll
      C:\WINDOWS\system32regm64.dll
      C:\WINDOWS\system32Rundl1.exe
      C:\WINDOWS\system32smp
      C:\WINDOWS\system32smp\msrc.exe
      C:\WINDOWS\Web\def.htm
      C:\WINDOWS\system32sncntr.exe
      C:\WINDOWS\system32ssurf022.dll
      C:\WINDOWS\system32ssvchost.com
      C:\WINDOWS\system32ssvchost.exe
      C:\WINDOWS\system32sysreq.exe
      C:\WINDOWS\system32taack.dat
      C:\WINDOWS\system32taack.exe
      C:\WINDOWS\system32temp#01.exe
      C:\WINDOWS\system32thun.dll
      C:\WINDOWS\system32thun32.dll
      C:\WINDOWS\system32VBIEWER.OCX
      C:\WINDOWS\system32vbsys2.dll
      C:\WINDOWS\system32vcatchpi.dll
      C:\WINDOWS\system32winlogonpc.exe
      C:\WINDOWS\system32winsystem.exe
      C:\WINDOWS\system32WINWGPX.EXE
      C:\WINDOWS\system32\clkcnt.txt
      C:\Documents and Settings\Administrator\FAVORI~1\Error Cleaner.url
      C:\Documents and Settings\Administrator\FAVORI~1\Privacy Protector.url
      C:\Documents and Settings\Administrator\FAVORI~1\Spyware&Malware Protection.url

      Folders Found:
      C:\Program Files\akl

      Hosts-file was reset, If you use a custom hosts file please replace it...

      --------------RVAXO.exe last run---------------
      Not deleted items:

      --------------RVAXO.exe finished----------------

      dss main.txt
      Deckard's System Scanner v20071014.68
      Run by Administrator on 2008-04-19 18:56:26
      Computer is in Normal Mode.
      --------------------------------------------------------------------------------

      -- System Restore --------------------------------------------------------------

      Unable to create WMI object; The operation completed successfully.


      Backed up registry hives.
      Performed disk cleanup.



      -- HijackThis (run as Administrator.exe) ---------------------------------------

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 18:57:25, on 19/04/2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16640)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      C:\WINDOWS\system32\msiexec.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Documents and Settings\Administrator\Desktop\dss.exe
      C:\WINDOWS\explorer.exe
      C:\HIJACK~1\Administrator.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
      O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - (no file)
      O2 - BHO: (no name) - {0993770C-B42C-4336-8D5C-99DD842C57DA} - C:\WINDOWS\system32\vtUnlmnO.dll
      O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
      O2 - BHO: (no name) - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
      O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
      O2 - BHO: (no name) - {FF00010A-5E9C-45D1-836C-9DBD2C8DE2EC} - (no file)
      O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
      O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - (no file)
      O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
      O4 - HKUS\S-1-5-21-1085031214-515967899-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
      O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
      O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
      O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
      O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O20 - Winlogon Notify: ssqQihGw - ssqQihGw.dll (file missing)
      O21 - SSODL: PrxComponent - {b32a9929-e79f-466b-80d5-e1b8ecc3985c} - (no file)
      O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

      --
      End of file - 3973 bytes

      -- File Associations -----------------------------------------------------------

      All associations okay.


      -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

      3 AR5211 (WLAN a+b+g Adapter Service) - system32\drivers\ar5211.sys (file missing)
      2 atksgt - c:\windows\system32\drivers\atksgt.sys
      3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
      2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
      2 MDC8021X (WPA Security Protocol (IEEE 802.1x) v2.2.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
      3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
      3 vncdrv - c:\windows\system32\drivers\vncdrv.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>

      -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

      2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
      4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\program files\bonjour\mdnsresponder.exe
      4 FLEXnet Licensing Service - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
      4 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe
      4 PSI_SVC_2 (Protexis Licensing V2) - c:\program files\common files\protexis\license service\psiservice_2.exe
      4 SLService (SmartLinkService) - c:\windows\system32\slserv.exe
      4 WLSetupSvc (Windows Live Setup Service) - c:\program files\windows live\installer\wlsetupsvc.exe


      -- Device Manager: Disabled ----------------------------------------------------

      Unable to create WMI object.

      -- Scheduled Tasks -------------------------------------------------------------

      2008-04-19 11:36:00 270 --a------ C:\WINDOWS\Tasks\Controleren op updates voor Windows Live Toolbar.job
      2008-04-17 22:03:48 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


      -- Files created between 2008-03-19 and 2008-04-19 -----------------------------

      2008-04-19 18:53:49 3760 --ahs---- C:\WINDOWS\system32\OnmlnUtv.ini2
      2008-04-19 18:51:08 0 d-------- C:\RVAXO
      2008-04-19 18:48:31 796840 --a------ C:\WINDOWS\system32\RVAXO.bat
      2008-04-19 18:48:30 69632 --a------ C:\WINDOWS\system32\remove.exe
      2008-04-19 16:40:59 0 dr-h----- C:\Documents and Settings\NetworkService\Recent
      2008-04-19 16:06:47 0 d-------- C:\HijackThis
      2008-04-19 16:06:15 0 d-------- C:\Program Files\Lavasoft
      2008-04-19 16:06:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
      2008-04-19 16:04:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
      2008-04-19 13:27:21 4952 -ra------ C:\Bootfont.bin
      2008-04-19 13:27:21 261936 -ra------ C:\$LDR$
      2008-04-19 13:26:56 0 d-------- C:\$WIN_NT$.~BT
      2008-04-19 13:16:57 0 d-------- C:\Documents and Settings\potverdekke\Application Data\Identities
      2008-04-19 13:16:51 0 d--h----- C:\Documents and Settings\potverdekke\Templates
      2008-04-19 13:16:51 0 dr------- C:\Documents and Settings\potverdekke\Start Menu
      2008-04-19 13:16:51 0 dr-h----- C:\Documents and Settings\potverdekke\SendTo
      2008-04-19 13:16:51 0 d--h----- C:\Documents and Settings\potverdekke\Recent
      2008-04-19 13:16:51 0 d--h----- C:\Documents and Settings\potverdekke\PrintHood
      2008-04-19 13:16:51 524288 --ah----- C:\Documents and Settings\potverdekke\NTUSER.DAT
      2008-04-19 13:16:51 0 d--h----- C:\Documents and Settings\potverdekke\NetHood
      2008-04-19 13:16:51 0 dr------- C:\Documents and Settings\potverdekke\My Documents
      2008-04-19 13:16:51 0 d--h----- C:\Documents and Settings\potverdekke\Local Settings
      2008-04-19 13:16:51 0 d-------- C:\Documents and Settings\potverdekke\Favorites
      2008-04-19 13:16:51 0 d-------- C:\Documents and Settings\potverdekke\Desktop
      2008-04-19 13:16:51 0 d--hs---- C:\Documents and Settings\potverdekke\Cookies
      2008-04-19 13:16:51 0 dr-h----- C:\Documents and Settings\potverdekke\Application Data
      2008-04-19 13:16:51 0 d---s---- C:\Documents and Settings\potverdekke\Application Data\Microsoft
      2008-04-18 20:34:59 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
      2008-04-18 20:29:46 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
      2008-04-18 20:25:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
      2008-04-18 13:26:13 0 d-------- C:\Program Files\Enigma Software Group
      2008-04-18 13:14:20 0 d-------- C:\Program Files\ATI Technologies
      2008-04-18 09:21:38 274432 -----n--- C:\WINDOWS\system32\vtUnlmnO.dll
      2008-04-18 08:21:58 0 dr-h----- C:\$VAULT$.AVG
      2008-04-18 08:21:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
      2008-04-18 08:21:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
      2008-04-18 08:20:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
      2008-04-18 08:20:45 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
      2008-04-18 08:01:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
      2008-04-17 22:07:05 4096 --a------ C:\WINDOWS\winsystem.exe
      2008-04-17 22:07:05 4096 --a------ C:\WINDOWS\userconfig9x.dll
      2008-04-17 22:07:05 4096 --a------ C:\WINDOWS\system32VBIEWERVAXO
      2008-04-17 22:07:05 4096 --a------ C:\WINDOWS\system32RVAXO
      2008-04-17 22:07:05 0 d-------- C:\WINDOWS\mslagent
      2008-04-17 22:07:05 4096 --a------ C:\WINDOWS\FVProtect.exe
      2008-04-17 22:07:05 0 d-------- C:\Program Files\Inet Delivery
      2008-04-17 22:07:05 0 d-------- C:\Documents and Settings\Administrator\Desktopvirii
      2008-04-17 22:07:05 4096 --a------ C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
      2008-04-17 22:07:05 4096 --a------ C:\Documents and Settings\Administrator\Desktopfwebd.exe
      2008-04-17 22:07:05 4096 --a------ C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
      2008-04-17 22:06:49 0 d-------- C:\Documents and Settings\All Users\Application Data\czyxilqx
      2008-04-17 22:04:12 0 d-------- C:\Program Files\QuickTime
      2008-04-17 22:03:46 0 d-------- C:\Program Files\Apple Software Update
      2008-04-17 22:03:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
      2008-04-17 21:55:03 0 d-------- C:\Program Files\IObit
      2008-04-17 21:54:41 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
      2008-04-17 21:54:39 0 d-------- C:\WINDOWS\system32\languages
      2008-04-17 21:54:39 0 d-------- C:\Program Files\Codec Pack - All In 1
      2008-04-17 21:25:00 0 d-------- C:\Program Files\Windows Live Favorites
      2008-04-17 21:24:58 0 d-------- C:\Program Files\Windows Live Toolbar
      2008-04-17 21:21:17 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
      2008-04-17 21:21:11 0 d-------- C:\Program Files\Windows Live
      2008-04-17 21:21:02 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
      2008-04-17 15:32:00 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
      2008-04-17 15:29:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
      2008-04-16 14:01:54 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
      2008-04-16 14:01:53 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
      2008-04-16 14:01:52 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
      2008-04-16 14:01:51 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
      2008-04-16 13:50:19 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
      2008-04-16 13:35:34 0 d-------- C:\Program Files\Bonjour
      2008-04-16 13:26:26 0 d-------- C:\Program Files\Common Files\Macrovision Shared
      2008-04-16 13:15:59 0 d-------- C:\Program Files\Common Files\CyberLink
      2008-04-16 12:35:09 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
      2008-04-16 12:34:51 0 d-------- C:\Program Files\Common Files\xing shared
      2008-04-16 12:34:49 0 d-------- C:\Program Files\Common Files\Real
      2008-04-16 12:34:44 0 d-------- C:\Program Files\Real
      2008-04-16 12:33:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
      2008-04-16 12:33:30 0 d-------- C:\Program Files\InterVideo
      2008-04-16 12:33:30 0 d-------- C:\Program Files\Common Files\Protexis
      2008-04-16 12:33:30 0 d-------- C:\Program Files\Common Files\InterVideo
      2008-04-16 12:33:12 0 d-------- C:\Program Files\Corel
      2008-04-16 12:20:04 0 d-------- C:\Program Files\Real Alternative
      2008-04-16 12:20:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
      2008-04-16 12:20:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
      2008-04-16 12:06:02 2085376 --a------ C:\WINDOWS\system32\x264vfw.dll
      2008-04-16 12:06:02 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
      2008-04-16 12:06:02 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
      2008-04-16 12:06:02 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
      2008-04-16 12:06:02 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
      2008-04-16 12:00:07 0 d-------- C:\Program Files\K-Lite Codec Pack
      2008-04-16 11:49:53 143360 --a------ C:\WINDOWS\system32\Stamin32.Dll <Not Verified; MicroDexterity, Inc.; Stamina>
      2008-04-16 11:49:53 0 d-------- C:\Program Files\SPCK Software
      2008-04-16 08:59:45 348160 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
      2008-04-16 08:59:45 417792 --a------ C:\WINDOWS\system32\NCTTextToAudio2.dll <Not Verified; Online Media Technologies Ltd.; NCTTextToAudio2 ActiveX DLL>
      2008-04-16 08:59:45 475136 --a------ C:\WINDOWS\system32\NCTAudioVisualizationEx2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioVisualizationEx2 ActiveX DLL>
      2008-04-16 08:59:45 479232 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioVisualization2 ActiveX DLL>
      2008-04-16 08:59:45 602112 --a------ C:\WINDOWS\system32\NCTAudioTransform2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioTransform2 ActiveX DLL>
      2008-04-16 08:59:45 458752 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioRecord2 ActiveX DLL>
      2008-04-16 08:59:45 458752 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer2 ActiveX DLL>
      2008-04-16 08:59:45 1212416 --a------ C:\WINDOWS\system32\NCTAudioInformation2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioInformation2 ActiveX DLL>
      2008-04-16 08:59:45 1986560 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
      2008-04-16 08:59:45 880640 --a------ C:\WINDOWS\system32\NCTAudioEditor2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioEditor2 ActiveX DLL>
      2008-04-16 08:59:45 417792 --a------ C:\WINDOWS\system32\NCTAudioDisplay2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioDisplay2 ActiveX DLL>
      2008-04-16 08:59:45 2084864 --a------ C:\WINDOWS\system32\NCTAudioDesign2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioDesign2 ActiveX DLL>
      2008-04-16 08:59:45 835584 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll <Not Verified; NCT; NCTAudioCDGrabber2 ActiveX DLL>
      2008-04-16 08:59:44 0 d-------- C:\Program Files\Free Sound Recorder
      2008-03-31 22:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
      2008-03-31 22:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
      2008-03-31 22:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
      2008-03-31 22:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
      2008-03-31 22:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
      2008-03-21 21:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
      2008-03-21 21:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
      2008-03-21 21:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
      2008-03-21 21:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


      -- Find3M Report ---------------------------------------------------------------

      2008-04-19 18:05:48 0 d-------- C:\Program Files\Common Files\Nero
      2008-04-19 17:23:33 0 d-------- C:\Program Files\Google
      2008-04-19 16:04:50 0 d-------- C:\Program Files\Common Files
      2008-04-18 09:29:39 0 d-------- C:\Program Files\Windows Media Connect 2
      2008-04-18 09:22:30 0 d-------- C:\Program Files\DivX
      2008-04-17 15:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
      2008-04-16 13:57:21 0 d-------- C:\Program Files\Matroska Pack
      2008-04-16 13:50:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
      2008-04-16 13:34:17 0 d-------- C:\Program Files\Common Files\Adobe
      2008-04-16 13:15:33 0 d-------- C:\Program Files\CyberLink
      2008-04-16 12:08:25 0 d-------- C:\Program Files\ffdshow
      2008-04-16 12:05:22 0 d-------- C:\Program Files\Combined Community Codec Pack
      2008-04-13 14:01:49 0 d-------- C:\Program Files\Movie Maker


      -- Registry Dump ---------------------------------------------------------------

      *Note* empty entries & legit default entries are not shown


      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C}]

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0993770C-B42C-4336-8D5C-99DD842C57DA}]
      18/04/2008 09:21 274432 --------- C:\WINDOWS\system32\vtUnlmnO.dll

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}]

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5A1465-1E73-4784-8F63-45983FDF0DB8}]

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF00010A-5E9C-45D1-836C-9DBD2C8DE2EC}]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
      "LinkResolveIgnoreLinkInfo"=0 (0x0)
      "NoResolveSearch"=1 (0x1)

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
      "LinkResolveIgnoreLinkInfo"=0 (0x0)

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQihGw]
      ssqQihGw.dll

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
      "Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUnlmnO

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
      @="Service"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
      @="Service"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
      @="Volume shadow copy"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IPN2220 WLAN Configuration Utility.lnk]
      path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IPN2220 WLAN Configuration Utility.lnk
      backup=C:\WINDOWS\pss\IPN2220 WLAN Configuration Utility.lnkCommon Startup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
      C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
      C:\WINDOWS\system32\ctfmon.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
      "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
      "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
      "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
      C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
      "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
      "C:\Program Files\QuickTime\QTTask.exe" -atboottime

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
      "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
      SOUNDMAN.EXE

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
      "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
      C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
      C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
      "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
      %systemroot%\system32\dumprep 0 -u

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "xmlprov"=3 (0x3)
      "WZCSVC"=2 (0x2)
      "WudfSvc"=3 (0x3)
      "wuauserv"=2 (0x2)
      "wscsvc"=2 (0x2)
      "WmiApSrv"=3 (0x3)
      "Wmi"=3 (0x3)
      "WLSetupSvc"=3 (0x3)
      "winmgmt"=2 (0x2)
      "WebClient"=2 (0x2)
      "W32Time"=2 (0x2)
      "VSS"=3 (0x3)
      "usnjsvc"=3 (0x3)
      "UPS"=3 (0x3)
      "upnphost"=3 (0x3)
      "TrkWks"=2 (0x2)
      "Themes"=2 (0x2)
      "TermService"=3 (0x3)
      "TapiSrv"=3 (0x3)
      "SwPrv"=3 (0x3)
      "stisvc"=2 (0x2)
      "SSDPSRV"=3 (0x3)
      "srservice"=2 (0x2)
      "Spooler"=2 (0x2)
      "SLService"=2 (0x2)
      "ShellHWDetection"=2 (0x2)
      "SharedAccess"=2 (0x2)
      "SENS"=2 (0x2)
      "seclogon"=2 (0x2)
      "Schedule"=2 (0x2)
      "SCardSvr"=3 (0x3)
      "SamSs"=2 (0x2)
      "RSVP"=3 (0x3)
      "RDSessMgr"=3 (0x3)
      "RasMan"=3 (0x3)
      "RasAuto"=3 (0x3)
      "PSI_SVC_2"=2 (0x2)
      "ProtectedStorage"=2 (0x2)
      "PolicyAgent"=2 (0x2)
      "PnkBstrA"=2 (0x2)
      "PlugPlay"=2 (0x2)
      "NtmsSvc"=3 (0x3)
      "NMIndexingService"=3 (0x3)
      "Nla"=3 (0x3)
      "Netman"=3 (0x3)
      "Netlogon"=3 (0x3)
      "Nero BackItUp Scheduler 3"=2 (0x2)
      "MSIServer"=3 (0x3)
      "MSDTC"=3 (0x3)
      "LmHosts"=2 (0x2)
      "lanmanworkstation"=2 (0x2)
      "lanmanserver"=2 (0x2)
      "IviRegMgr"=2 (0x2)
      "Irmon"=2 (0x2)
      "iPod Service"=3 (0x3)
      "ImapiService"=3 (0x3)
      "HTTPFilter"=3 (0x3)
      "helpsvc"=2 (0x2)
      "gusvc"=3 (0x3)
      "FLEXnet Licensing Service"=3 (0x3)
      "FastUserSwitchingCompatibility"=3 (0x3)
      "EventSystem"=3 (0x3)
      "Eventlog"=2 (0x2)
      "Dnscache"=2 (0x2)
      "dmserver"=2 (0x2)
      "dmadmin"=3 (0x3)
      "Dhcp"=2 (0x2)
      "CryptSvc"=2 (0x2)
      "COMSysApp"=3 (0x3)
      "clr_optimization_v2.0.50727_32"=2 (0x2)
      "CiSvc"=3 (0x3)
      "Browser"=2 (0x2)
      "Bonjour Service"=2 (0x2)
      "BITS"=3 (0x3)
      "AVGEMS"=2 (0x2)
      "Avg7UpdSvc"=2 (0x2)
      "Avg7Alrt"=2 (0x2)
      "AudioSrv"=2 (0x2)
      "ATI Smart"=2 (0x2)
      "Ati HotKey Poller"=2 (0x2)
      "aspnet_state"=3 (0x3)
      "AppMgmt"=3 (0x3)
      "ALG"=3 (0x3)




      -- End of Deckard's System Scanner: finished at 2008-04-19 18:57:54 ------------

      dss extra.txt

      Deckard's System Scanner v20071014.68
      Extra logfile - please post this as an attachment with your post.
      --------------------------------------------------------------------------------

      -- System Information ----------------------------------------------------------

      Unable to create WMI object.

      Architecture: X86; Language: English

      Percentage of Memory in Use: 18%
      Physical Memory (total/avail): 2046.16 MiB / 1664.83 MiB
      Pagefile Memory (total/avail): 3938.7 MiB / 3731.11 MiB
      Virtual Memory (total/avail): 2047.88 MiB / 1941.38 MiB

      C: is Fixed (NTFS) - 111.77 GiB total, 57.23 GiB free.
      D: is CDROM (No Media)
      E: is Removable (FAT32)
      F: is Removable (No Media)
      G: is Removable (No Media)
      H: is Removable (No Media)
      I: is Removable (No Media)


      -- Security Center -------------------------------------------------------------

      AUOptions is set to notify before install.
      Windows Internal Firewall is enabled.

      AntivirusOverride is set.

      Unable to create WMI object.

      -- Environment Variables -------------------------------------------------------

      ALLUSERSPROFILE=C:\Documents and Settings\All Users
      APPDATA=C:\Documents and Settings\Administrator\Application Data
      CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
      CLIENTNAME=Console
      CommonProgramFiles=C:\Program Files\Common Files
      COMPUTERNAME=YOUR-N1Y9L73B6R
      ComSpec=C:\WINDOWS\system32\cmd.exe
      FP_NO_HOST_CHECK=NO
      HOMEDRIVE=C:
      HOMEPATH=\Documents and Settings\Administrator
      LOGONSERVER=\\YOUR-N1Y9L73B6R
      NUMBER_OF_PROCESSORS=2
      OS=Windows_NT
      Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
      PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
      PROCESSOR_ARCHITECTURE=x86
      PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
      PROCESSOR_LEVEL=15
      PROCESSOR_REVISION=0401
      ProgramFiles=C:\Program Files
      PROMPT=$P$G
      QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
      SESSIONNAME=Console
      SystemDrive=C:
      SystemRoot=C:\WINDOWS
      TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
      TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
      USERDOMAIN=YOUR-N1Y9L73B6R
      USERNAME=Administrator
      USERPROFILE=C:\Documents and Settings\Administrator
      windir=C:\WINDOWS
      __COMPAT_LAYER=EnableNXShowUI


      -- User Profiles ---------------------------------------------------------------

      potverdekke (new local, admin)
      Administrator (admin)


      -- Add/Remove Programs ---------------------------------------------------------

      --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
      --> C:\Program Files\Real Alternative\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
      --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
      Act of War - Direct Action --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F9B915DF-B79C-4747-9BA3-9705A57DC717}\SETUP.EXE" -l0x9
      Act of War - High Treason --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C08EBBFD-C565-472F-9354-5593B9873705}\SETUP.EXE" -l0x9
      Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
      Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
      Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
      Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
      Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
      Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
      Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
      Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
      Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
      Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
      Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
      Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
      Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
      Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
      Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
      Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
      Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
      Adobe Premiere Pro CS3 --> C:\Program Files\Common Files\Adobe\Installers\32fdd767b4383606e8168e834af5d90\Setup.exe
      Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
      Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
      Adobe Setup --> MsiExec.exe /I{BB81360F-041C-4CF7-B15E-71380D154244}
      Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
      Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
      Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
      Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
      Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
      Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
      ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
      ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
      ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_classISPLAY -clean
      AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
      BisonCam, USB2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9E3ACAB-1A3B-4B67-A653-916F250ABAD4}\Setup.exe" -l0x9
      Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
      Corel WinDVD 9 --> C:\Program Files\InstallShield Installation Information\{E3993D46-AE3F-402E-9F9D-EEBDFBEC3564}\setup.exe -runfromtemp -l0x0409
      Cossacks - The Art Of War --> C:\WINDOWS\unasetup.exe
      CyberLink PowerDVD 8 --> "C:\Program Files\InstallShield Installation Information\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\Setup.exe" /z-uninstall
      DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
      DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
      DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
      DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
      EW : Cossacks --> C:\WINDOWS\uncsetup.exe
      Extensie voor Windows Live Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{91897B2C-B407-48C2-A76C-E6AC47A9B6A0}
      F15 --> C:\WINDOWS\system32\EAREMOVE.EXE C:\WINDOWS\system32\EA2.UIL
      Falcon 4.0: Allied Force --> MsiExec.exe /I{7A65E382-1843-4B46-861B-1BECB8354911}
      FFA Blaster 2.4.8 --> C:\PROGRA~1\SPCKSO~1\FFABLA~1\UNWISE.EXE C:\PROGRA~1\SPCKSO~1\FFABLA~1\INSTALL.LOG
      Free Sound Recorder v6.6 --> "C:\Program Files\Free Sound Recorder\unins000.exe"
      High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
      HijackThis 2.0.2 --> "C:\HijackThis\HijackThis.exe" /uninstall
      Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
      IPN2220 Wlan Driver and Utility --> MsiExec.exe /I{382D5A55-9EF5-4BA6-8CE2-EA834170EF1D}
      iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
      Jane’s Combat Simulations USAF --> C:\Program Files\Jane's Combat Simulations\USAF\Externals\Setup.exe
      K-Lite Codec Pack 3.8.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
      Longbow 2 --> C:\WINDOWS\system32\EAREMOVE.EXE C:\WINDOWS\system32\EA1.UIL
      Markeringviewer (Windows Live Toolbar) --> MsiExec.exe /X{1509FC50-85B6-4F17-8223-423B86BF7FE3}
      Medal of Honor Airborne --> MsiExec.exe /X{25F28E39-FDBB-11DB-8314-0800200C9A66}
      Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
      Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
      Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
      Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
      Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
      Multimedia / Internet Keyboard Driver VerR8.16 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0BD89C0-D39D-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9
      neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
      Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
      PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
      QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
      Real Alternative 1.7.5 --> "C:\Program Files\Real Alternative\unins000.exe"
      RealPlayer --> C:\Program Files\Real Alternative\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
      Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
      Return to Castle Wolfenstein --> C:\PROGRA~1\RETURN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\RETURN~1\Uninstall\Install.log
      SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
      SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
      Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
      SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
      SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
      Samsung PC Studio 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
      Smart Link 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
      Smart Menu's (Windows Live Toolbar) --> MsiExec.exe /X{DC54F2F8-C26F-4D22-B92D-7075BC626106}
      Star Wars Galaxies: 14-Day Trial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5770C6BC-EC01-42DA-A8E0-62C869DB50FD}\setup.exe" -l0x9 -removeonly
      Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
      VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
      Windows Live aanmeldhulp --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
      Windows Live Favorites voor Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
      Windows Live installer --> MsiExec.exe /X{A258173E-F308-475A-951B-F1BF76A4451B}
      Windows Live Messenger --> MsiExec.exe /X{A0C978B8-B82B-4FAD-8C31-EBEE8E57468A}
      Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {CE0E8D6F-1F0A-433A-98E1-2096568E968F}
      Windows Live Toolbar --> MsiExec.exe /X{CE0E8D6F-1F0A-433A-98E1-2096568E968F}
      Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
      WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
      World in Conflict --> C:\Program Files\InstallShield Installation Information\{F11ADC64-C89E-47F4-A0B3-3665FF859397}\setup.exe -runfromtemp -l0x0009 -removeonly


      -- Application Event Log -------------------------------------------------------

      No Errors/Warnings found.


      -- Security Event Log ----------------------------------------------------------

      No Errors/Warnings found.


      -- System Event Log ------------------------------------------------------------

      No Errors/Warnings found.


      -- End of Deckard's System Scanner: finished at 2008-04-19 18:57:54 ------------
      Last edited by blaat; 19-04-08, 20:44.

      Comment


      • #4
        Open een kladblokbestand.
        Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

        @ECHO OFF
        IF EXIST log.txt DEL log.txt
        RD /s /q C:\WINDOWS\mslagent
        RD /s /q C:\WINDOWS\FVProtect.exe
        RD /s /q "C:\Program Files\Inet Delivery"
        RD /s /q "C:\Documents and Settings\Administrator\Desktopvirii"
        RD /s /q "C:\Documents and Settings\All Users\Application Data\czyxilqx"
        ECHO Deleting files>>log.txt
        FOR %%g in (
        C:\WINDOWS\system32\OnmlnUtv.ini2
        C:\WINDOWS\system32\vtUnlmnO.dll
        C:\WINDOWS\winsystem.exe
        C:\WINDOWS\userconfig9x.dll
        C:\WINDOWS\system32VBIEWERVAXO
        C:\WINDOWS\system32RVAXO
        C:\WINDOWS\mslagent
        C:\WINDOWS\FVProtect.exe
        "C:\Program Files\Inet Delivery"
        "C:\Documents and Settings\Administrator\Desktopvirii"
        "C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe"
        "C:\Documents and Settings\Administrator\Desktopfwebd.exe"
        "C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe"
        "C:\Documents and Settings\All Users\Application Data\czyxilqx") DO (
        DEL /Q %%gNUCIA
        IF EXIST %%g (
        ATTRIB -r -s -h %%g
        DEL %%g
        REN %%g *NUCIA
        IF EXIST %%gNUCIA (
        ECHO renamed to %%gNUCIA>>log.txt)
        IF EXIST %%g (
        ECHO %%g not deleted>>log.txt
        ) ELSE (
        ECHO %%g deleted>>log.txt)
        ) ELSE (
        ECHO %%g not found>>log.txt))
        START NOTEPAD.EXE log.txt

        Ga naar Bestand - Opslaan als.
        Bij "Opslaan in" kies je: Bureaublad
        Bij "Bestandsnaam" zet je: del.bat
        Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
        Klik op de knop Opslaan.

        Probeer del.bat eens in veilige modus.
        Dubbelklik op del.bat en post de inhoud van de logfile die opent.

        Herstart je computer en post ook een nieuw logje van Hijackthis.

        Comment


        • #5
          In dezelfde map waar Desktopfwebd.exe, DesktopFWebEditor.exe etc in staan, staat ook nog:

          Desktopblackbird.jpg
          DesktopEditorFKWP1.5.exe
          DesktopEditorFKWP2.0.exe
          Desktopfkwp1.5.exe
          Desktopfkwp2.0.exe
          DesktopTrojan.Win32.BlackBird.exe

          Zal ik deze ook bijplaatsen in het .bat bestand? Alvast hartelijk bedankt voor de tijd en moeite die je hierin wilt steken om me te helpen

          Comment


          • #6
            Die mogen ook weg(vreemd dat ze niet in het logje staan )

            Comment


            • #7
              Vond ik ook al vreemd. Hierbij het del.bat logje:

              Deleting files
              C:\WINDOWS\system32\OnmlnUtv.ini2 deleted
              C:\WINDOWS\system32\vtUnlmnO.dll not deleted
              C:\WINDOWS\winsystem.exe deleted
              C:\WINDOWS\userconfig9x.dll deleted
              C:\WINDOWS\system32VBIEWERVAXO deleted
              C:\WINDOWS\system32RVAXO deleted
              C:\WINDOWS\mslagent not found
              C:\WINDOWS\FVProtect.exe deleted
              "C:\Program Files\Inet Delivery" not found
              "C:\Documents and Settings\Administrator\Desktopvirii" not found
              "C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe" deleted
              "C:\Documents and Settings\Administrator\Desktopfwebd.exe" deleted
              "C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe" deleted
              "C:\Documents and Settings\Administrator\Desktopblackbird.jpg" deleted
              "C:\Documents and Settings\Administrator\DesktopEditorFKWP1.5.exe" deleted
              "C:\Documents and Settings\Administrator\DesktopEditorFKWP2.0.exe" deleted
              "C:\Documents and Settings\Administrator\Desktopfkwp1.5.exe" deleted
              "C:\Documents and Settings\Administrator\Desktopfkwp2.0.exe" deleted
              "C:\Documents and Settings\Administrator\DesktopTrojan.Win32.BlackBird.exe" deleted
              "C:\Documents and Settings\All Users\Application Data\czyxilqx" not found

              En een nieuw HijackThis log na het normaal opstarten, dit keer met opstartmodus "Normaal" in msconfig (dus alle services aan en alle laptop-brol-programma's actief). Het crashen/rebooten van explorer blijft. Ik vermoed dat dit te wijten is aan die FKWP; dat is blijkbaar een keylogger die (onder andere) zichzelf injecteert in explorer.exe.

              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 20:51:23, on 19/04/2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v7.00 (7.00.6000.16640)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\Ati2evxx.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\Ati2evxx.exe
              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
              C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
              C:\WINDOWS\SOUNDMAN.EXE
              C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
              C:\Program Files\QuickTime\QTTask.exe
              C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\Windows Live\Messenger\msnmsgr.exe
              C:\Program Files\InProComm\IPN2220\wlan_ui.exe
              C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
              C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
              C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
              C:\Program Files\Bonjour\mDNSResponder.exe
              C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
              C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
              C:\WINDOWS\system32\msiexec.exe
              C:\WINDOWS\system32\PnkBstrA.exe
              C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
              C:\WINDOWS\system32\slserv.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
              C:\WINDOWS\System32\imapi.exe
              C:\WINDOWS\system32\cmd.exe
              C:\WINDOWS\explorer.exe
              C:\WINDOWS\system32\rundll32.exe
              C:\HijackThis\HijackThis.exe
              C:\WINDOWS\system32\wuauclt.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
              O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
              O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - (no file)
              O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
              O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
              O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
              O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
              O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
              O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
              O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
              O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
              O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
              O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
              O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
              O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
              O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
              O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
              O4 - Global Startup: IPN2220 WLAN Configuration Utility.lnk = C:\Program Files\InProComm\IPN2220\wlan_ui.exe
              O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
              O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
              O21 - SSODL: PrxComponent - {b32a9929-e79f-466b-80d5-e1b8ecc3985c} - (no file)
              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
              O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
              O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
              O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
              O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
              O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
              O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
              O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
              O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
              O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
              O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
              O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

              --
              End of file - 6737 bytes
              Last edited by blaat; 19-04-08, 21:57.

              Comment


              • #8
                Ik denk dat het te maken heeft met deze laatste bestandjes

                Download The Avenger en plaats het op je bureaublad: http://swandog46.geekstogo.com/avenger2/download.php
                Unzip het.
                Start het programma door op avenger.exe te klikken.
                In het venster "Input Script here", plak je het volgende (vetgedrukte):


                Folders to delete:
                C:\WINDOWS\system32\OnmlnUtv.ini2
                C:\WINDOWS\system32\OnmlnUtv.ini2
                C:\WINDOWS\system32\vtUnlmnO.dll


                Klik daarna op de knop "Execute".
                Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
                Na reboot opent een logfile (avenger .txt). Post de inhoud van de logfile.

                Comment


                • #9
                  Logfile van The Avenger:

                  Logfile of The Avenger Version 2.0, (c) by Swandog46
                  http://swandog46.geekstogo.com

                  Platform: Windows XP

                  *******************

                  Script file opened successfully.
                  Script file read successfully.

                  Backups directory opened successfully at C:\Avenger

                  *******************

                  Beginning to process script file:

                  Rootkit scan active.
                  No rootkits found!


                  Error: "C:\WINDOWS\system32\OnmlnUtv.ini2" is not a folder! It may instead be a file.
                  Deletion of folder "C:\WINDOWS\system32\OnmlnUtv.ini2" failed!
                  Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
                  --> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file


                  Error: "C:\WINDOWS\system32\OnmlnUtv.ini2" is not a folder! It may instead be a file.
                  Deletion of folder "C:\WINDOWS\system32\OnmlnUtv.ini2" failed!
                  Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
                  --> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file


                  Error: "C:\WINDOWS\system32\vtUnlmnO.dll" is not a folder! It may instead be a file.
                  Deletion of folder "C:\WINDOWS\system32\vtUnlmnO.dll" failed!
                  Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
                  --> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file


                  Completed script processing.

                  *******************

                  Finished! Terminate.


                  Bij het heropstarten kreeg ik naast het Avenger-logje 4x deze foutmelding:

                  Windows - No Disk
                  Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
                  Cancel | Try Again | Continue

                  Wat googlen leverde op dat dit doorgaans te maken heeft met ingebouwde card-readers waarnaar geschreven/gelezen wordt bij het opstarten. Ik heb er zo inderdaad 4. Bij het saven van het logbestand kreeg ik trouwens de zoekende-zaklamp animatie in Deze Computer totdat ik op alle 4 de foutmeldingen Cancel had gedrukt.

                  Na nogmaals opnieuw opgestart te hebben zijn deze foutmeldingen verdwenen
                  Last edited by blaat; 19-04-08, 23:03.

                  Comment


                  • #10
                    Mijn fout het moest zijn: Files to delete:

                    Start het programma door op avenger.exe te klikken.
                    In het venster "Input Script here", plak je het volgende (vetgedrukte):


                    Files to delete:
                    C:\WINDOWS\system32\OnmlnUtv.ini2
                    C:\WINDOWS\system32\OnmlnUtv.ini2
                    C:\WINDOWS\system32\vtUnlmnO.dll


                    Klik daarna op de knop "Execute".
                    Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
                    Na reboot opent een logfile (avenger .txt). Post de inhoud van de logfile.

                    Comment


                    • #11
                      Resultaat:

                      Logfile of The Avenger Version 2.0, (c) by Swandog46
                      http://swandog46.geekstogo.com

                      Platform: Windows XP

                      *******************

                      Script file opened successfully.
                      Script file read successfully.

                      Backups directory opened successfully at C:\Avenger

                      *******************

                      Beginning to process script file:

                      Rootkit scan active.
                      No rootkits found!

                      File "C:\WINDOWS\system32\OnmlnUtv.ini2" deleted successfully.

                      Error: file "C:\WINDOWS\system32\OnmlnUtv.ini2" not found!
                      Deletion of file "C:\WINDOWS\system32\OnmlnUtv.ini2" failed!
                      Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
                      --> the object does not exist

                      File "C:\WINDOWS\system32\vtUnlmnO.dll" deleted successfully.

                      Completed script processing.

                      *******************

                      Finished! Terminate.

                      Die ene failure lijkt mij te komen omdat hetzelfde bestand 2 keer voorkwam in het script Overigens kreeg ik weer dezelfde foutmeldingen als na de vorige Avenger-reboot, maar daarna zijn ze weg.

                      Het lijkt er trouwens op dat explorer niet meer crasht en herstart!
                      Last edited by blaat; 20-04-08, 00:52.

                      Comment


                      • #12
                        Slaap wint ook wel eens, ik moest achter het peeceke heen

                        Post maar even een nieuw logje van Hijackthis

                        Comment


                        • #13
                          Hoppa:

                          Logfile of Trend Micro HijackThis v2.0.2
                          Scan saved at 00:53:37, on 20/04/2008
                          Platform: Windows XP SP2 (WinNT 5.01.2600)
                          MSIE: Internet Explorer v7.00 (7.00.6000.16640)
                          Boot mode: Normal

                          Running processes:
                          C:\WINDOWS\System32\smss.exe
                          C:\WINDOWS\system32\winlogon.exe
                          C:\WINDOWS\system32\services.exe
                          C:\WINDOWS\system32\lsass.exe
                          C:\WINDOWS\system32\Ati2evxx.exe
                          C:\WINDOWS\system32\svchost.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\WINDOWS\system32\Ati2evxx.exe
                          C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          C:\WINDOWS\Explorer.EXE
                          C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                          C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
                          C:\WINDOWS\SOUNDMAN.EXE
                          C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
                          C:\Program Files\QuickTime\QTTask.exe
                          C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                          C:\WINDOWS\system32\ctfmon.exe
                          C:\Program Files\Windows Live\Messenger\msnmsgr.exe
                          C:\Program Files\InProComm\IPN2220\wlan_ui.exe
                          C:\WINDOWS\system32\spoolsv.exe
                          C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
                          C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                          C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                          C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                          C:\Program Files\Bonjour\mDNSResponder.exe
                          C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
                          C:\WINDOWS\system32\msiexec.exe
                          C:\WINDOWS\system32\PnkBstrA.exe
                          C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
                          C:\WINDOWS\system32\slserv.exe
                          C:\WINDOWS\System32\svchost.exe
                          C:\WINDOWS\system32\wuauclt.exe
                          C:\HijackThis\HijackThis.exe

                          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                          R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
                          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                          O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - (no file)
                          O2 - BHO: (no name) - {7F8E6777-4E7D-43F5-9AAB-68ED8BA662E3} - C:\WINDOWS\system32\vtUnlmnO.dll (file missing)
                          O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                          O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                          O2 - BHO: (no name) - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
                          O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
                          O2 - BHO: (no name) - {FF00010A-5E9C-45D1-836C-9DBD2C8DE2EC} - (no file)
                          O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                          O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - (no file)
                          O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
                          O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
                          O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
                          O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                          O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
                          O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                          O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
                          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
                          O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
                          O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
                          O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                          O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                          O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                          O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
                          O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
                          O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
                          O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
                          O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
                          O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
                          O4 - Global Startup: IPN2220 WLAN Configuration Utility.lnk = C:\Program Files\InProComm\IPN2220\wlan_ui.exe
                          O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
                          O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
                          O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                          O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                          O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
                          O20 - Winlogon Notify: ssqQihGw - ssqQihGw.dll (file missing)
                          O21 - SSODL: PrxComponent - {b32a9929-e79f-466b-80d5-e1b8ecc3985c} - (no file)
                          O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                          O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
                          O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
                          O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                          O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                          O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                          O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
                          O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
                          O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
                          O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
                          O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
                          O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
                          O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

                          --
                          End of file - 7490 bytes

                          Ben momenteel Ad-Aware nog eens aan het laten draaien om te kijken of hij nog iets vindt, maar duurt nog wel even.

                          Comment


                          • #14
                            Start Hijackthis en vink alleen de volgende regels aan:
                            O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - (no file)
                            O2 - BHO: (no name) - {7F8E6777-4E7D-43F5-9AAB-68ED8BA662E3} - C:\WINDOWS\system32\vtUnlmnO.dll (file missing)
                            O2 - BHO: (no name) - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - (no file)
                            O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
                            O2 - BHO: (no name) - {FF00010A-5E9C-45D1-836C-9DBD2C8DE2EC} - (no file)
                            O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - (no file)
                            O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -ul
                            O20 - Winlogon Notify: ssqQihGw - ssqQihGw.dll (file missing)
                            O21 - SSODL: PrxComponent - {b32a9929-e79f-466b-80d5-e1b8ecc3985c} - (no file)

                            Sluit alle openstaande vensters(behalve Hijackthis) en klik op de knop "Fix checked".

                            Herstart de computer en post een nieuw logje ter controle

                            Nu ga ik echt slapen, zie je antwoord morgen wel

                            Comment


                            • #15
                              Goeiemorgen ^^

                              Hier is het nieuwe HijackThis logje:

                              Logfile of Trend Micro HijackThis v2.0.2
                              Scan saved at 01:06:49, on 20/04/2008
                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                              MSIE: Internet Explorer v7.00 (7.00.6000.16640)
                              Boot mode: Normal

                              Running processes:
                              C:\WINDOWS\System32\smss.exe
                              C:\WINDOWS\system32\winlogon.exe
                              C:\WINDOWS\system32\services.exe
                              C:\WINDOWS\system32\lsass.exe
                              C:\WINDOWS\system32\Ati2evxx.exe
                              C:\WINDOWS\system32\svchost.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\WINDOWS\system32\Ati2evxx.exe
                              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                              C:\WINDOWS\Explorer.EXE
                              C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                              C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
                              C:\WINDOWS\SOUNDMAN.EXE
                              C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
                              C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                              C:\WINDOWS\system32\ctfmon.exe
                              C:\Program Files\Windows Live\Messenger\msnmsgr.exe
                              C:\Program Files\InProComm\IPN2220\wlan_ui.exe
                              C:\WINDOWS\system32\spoolsv.exe
                              C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
                              C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                              C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                              C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                              C:\Program Files\Bonjour\mDNSResponder.exe
                              C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
                              C:\WINDOWS\system32\msiexec.exe
                              C:\WINDOWS\system32\PnkBstrA.exe
                              C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
                              C:\WINDOWS\system32\slserv.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\HijackThis\HijackThis.exe

                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
                              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
                              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                              O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                              O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                              O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
                              O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
                              O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
                              O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                              O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
                              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                              O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
                              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
                              O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
                              O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
                              O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                              O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                              O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
                              O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
                              O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
                              O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
                              O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
                              O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
                              O4 - Global Startup: IPN2220 WLAN Configuration Utility.lnk = C:\Program Files\InProComm\IPN2220\wlan_ui.exe
                              O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
                              O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
                              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
                              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                              O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
                              O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
                              O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                              O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                              O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                              O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
                              O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
                              O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
                              O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
                              O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
                              O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
                              O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

                              --
                              End of file - 6719 bytes

                              Het crash/rebooten van explorer.exe is nu effectief verdwenen. Ad-Aware geeft wel nog steeds dezelfde resultaten als in mijn eerste post, behalve dan Adware.Agent, die is nu verdwenen. Laat ik hem de andere verwijderen?

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X