Hallo,

Sluit alle open vensters.
Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

O2 - BHO: (no name) - {B19B6F31-E9F7-4871-B12A-57171D66FE97} - C:\WINDOWS\system32\ljjgeeff.dll (file missing)

Klik daarna op "Fix checked" en sluit HijackThis af.


Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden
Volg de instructies die daar gegeven worden. Is er iets niet duidelijk, dan vraag je het.
Als het tooltje klaar is, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

ComboFix 08-04-20.5 - Administrator 2008-04-21 23:13:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1033.18.86 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temporary
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ffeegjjl.ini
C:\WINDOWS\system32\ffeegjjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqRHwWoL.dll
C:\WINDOWS\system32\xxyywwut.dll
C:\WINDOWS\system32\yayyXRLB.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 22:43 . 2008-04-21 22:56 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-04-21 22:43 . 2008-04-21 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-04-21 20:12 . 2008-04-21 20:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:27 . 2008-04-21 18:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 18:27 . 2008-04-21 18:27 2,548 --a------ C:\WINDOWS\unins000.dat
2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Program Files\Avira
2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-20 22:28 . 2008-04-20 22:28 2,128 --a------ C:\WINDOWS\system32\mrclcsht.dll
2008-04-20 22:28 . 2008-04-20 22:28 294 ---hs---- C:\WINDOWS\system32\yqtonmlh.ini
2008-04-20 21:59 . 2008-04-21 16:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 18:20 . 2008-04-20 18:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 18:16 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-20 17:59 . 2008-04-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-20 16:58 . 2008-04-20 16:58 101 --a------ C:\WINDOWS\wininit.ini
2008-04-20 13:02 . 2008-04-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 13:01 . 2008-04-20 13:01 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-19 22:42 . 2008-04-19 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 22:42 . 2008-04-19 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 22:13 . 2008-04-20 16:58 1,540,677 ---hs---- C:\WINDOWS\system32\pnpdajsb.ini
2008-04-18 22:40 . 2008-04-18 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-18 20:51 . 2008-04-18 21:37 1,540,677 ---hs---- C:\WINDOWS\system32\nldpqlao.ini
2008-04-18 20:51 . 2008-04-20 18:05 109,811 --a------ C:\WINDOWS\BM6bb7e274.xml
2008-04-17 22:51 . 2008-04-20 10:34 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-17 22:51 . 2008-04-17 22:51 31,232 --a------ C:\WINDOWS\system32\hgghfghe.dll
2008-04-15 02:43 . 2008-04-14 23:43 74,240 --------- C:\WINDOWS\b156.exe_tobedeleted
2008-04-12 09:18 . 2008-04-12 09:19 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-11 16:48 . 2008-04-11 13:48 11,264 --a------ C:\WINDOWS\b138.exe
2008-04-10 23:53 . 2008-04-10 23:53 244 --ah----- C:\sqmnoopt13.sqm
2008-04-10 23:53 . 2008-04-10 23:53 232 --ah----- C:\sqmdata13.sqm
2008-04-09 22:44 . 2008-04-09 22:44 244 --ah----- C:\sqmnoopt12.sqm
2008-04-09 22:44 . 2008-04-09 22:44 232 --ah----- C:\sqmdata12.sqm
2008-04-08 23:16 . 2008-04-08 23:16 244 --ah----- C:\sqmnoopt11.sqm
2008-04-08 23:16 . 2008-04-08 23:16 232 --ah----- C:\sqmdata11.sqm
2008-04-07 22:49 . 2008-04-07 22:49 244 --ah----- C:\sqmnoopt10.sqm
2008-04-07 22:49 . 2008-04-07 22:49 232 --ah----- C:\sqmdata10.sqm
2008-03-30 14:12 . 2008-03-30 14:12 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-03-25 20:42 . 2008-03-25 20:43 <DIR> d-------- C:\Program Files\mp3DirectCut
2008-03-25 20:23 . 2008-04-20 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-25 09:42 . 2008-04-12 20:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-23 15:47 . 2008-03-23 15:47 <DIR> d-------- C:\Program Files\LucasArts
2008-03-23 12:55 . 2008-03-23 12:55 <DIR> d-------- C:\Program Files\uTorrent
2008-03-23 12:55 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-03-23 12:43 . 2008-03-23 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-23 12:42 . 2008-03-23 12:54 <DIR> d-------- C:\Program Files\Azureus
2008-03-23 12:42 . 2008-03-23 12:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-03-23 10:35 . 2008-03-23 10:35 244 --ah----- C:\sqmnoopt09.sqm
2008-03-23 10:35 . 2008-03-23 10:35 232 --ah----- C:\sqmdata09.sqm
2008-03-23 01:14 . 2008-03-23 01:14 244 --ah----- C:\sqmnoopt08.sqm
2008-03-23 01:14 . 2008-03-23 01:14 232 --ah----- C:\sqmdata08.sqm
2008-03-22 20:55 . 2003-03-18 21:03 544,768 --a------ C:\WINDOWS\system32\MSVCR71D.DLL
2008-03-22 20:48 . 2003-03-18 22:28 2,179,072 --a------ C:\WINDOWS\system32\MFC71D.DLL
2008-03-22 09:02 . 2008-03-22 09:02 244 --ah----- C:\sqmnoopt07.sqm
2008-03-22 09:02 . 2008-03-22 09:02 232 --ah----- C:\sqmdata07.sqm
2008-03-22 00:14 . 2008-03-22 00:14 244 --ah----- C:\sqmnoopt06.sqm
2008-03-22 00:14 . 2008-03-22 00:14 232 --ah----- C:\sqmdata06.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 13:29 --------- d-----w C:\Program Files\Java
2008-04-21 13:25 --------- d-----w C:\Program Files\Network Associates
2008-04-21 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-04-19 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 20:48 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-04-17 20:54 316,928 ----a-w C:\WINDOWS\Fonts\rar.exe
2008-04-12 21:49 --------- d-----w C:\Program Files\EndItAll
2008-03-28 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 20:22 307,968 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-18 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-18 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 12:15 28,416 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4AC5231-62AD-42A5-B012-A5601ED5455F}]
2008-04-17 22:51 31232 --a------ C:\WINDOWS\system32\hgghfghe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFNF5"="TFNF5.exe" [2001-09-04 11:29 69632 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
"Tpwrtray"="TPWRTRAY.EXE" [2003-05-08 10:37 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A4AC5231-62AD-42A5-B012-A5601ED5455F}"= C:\WINDOWS\system32\hgghfghe.dll [2008-04-17 22:51 31232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfghe]
hgghfghe.dll 2008-04-17 22:51 31232 C:\WINDOWS\system32\hgghfghe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"MSACM.msrt24"= msrt24.acm
"vidc.XVID"= xvid.dll
"msacm.l3codec"= l3codecp.acm
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Terminal Reality\\4x4 Evo2\\4x42.exe"=
"C:\\Program Files\\evo 1\\4x4.Evolution.MYTH\\4x4.exe"=
"C:\\Program Files\\Microsoft Games\\Monster Truck Madness 2\\monster.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 19:53]
R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
R3 SMC2835W_PCI;SMC2835W 2.4GHz 54 Mbps Wireless Cardbus Driver;C:\WINDOWS\system32\DRIVERS\2835WICB.sys [2004-12-14 15:12]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 17:12]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-18 22:22]
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 09:56]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf1d72-7171-11da-9f5a-806d6172696f}]
\Shell\AutoRun\command - E:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 21:18:30 C:\WINDOWS\Tasks\Easy Onderhoud.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-04-21 21:21:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 23:19:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hgghfghe.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-04-21 23:24:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 21:23:46

Pre-Run: 20,024,819,712 bytes free
Post-Run: 19,962,183,680 bytes free

196 --- E O F --- 2008-04-19 21:34:34

Hijackthislog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:26, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.be/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A4AC5231-62AD-42A5-B012-A5601ED5455F} - C:\WINDOWS\system32\hgghfghe.dll
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.phlimburg.be
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134656364634
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA9B54A-F5F5-490B-BD98-6B0E0D21A691}: NameServer = 192.168.1.1
O20 - Winlogon Notify: hgghfghe - C:\WINDOWS\SYSTEM32\hgghfghe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5854 bytes

Open een kladblokbestand.
Kopieer de ondestaande code, en plak deze in het kladblokbestand.
Sla het kladblokbestand op als CFScript.txt
Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

ComboFix zal opnieuw starten.
Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
Post de inhoud van de logfile.

ComboFix 08-04-20.5 - Administrator 2008-04-22 20:10:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1033.18.60 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\b138.exe
C:\WINDOWS\b156.exe_tobedeleted
C:\WINDOWS\system32\hgghfghe.dll
C:\WINDOWS\system32\mrclcsht.dll
C:\WINDOWS\system32\nldpqlao.ini
C:\WINDOWS\system32\pnpdajsb.ini
C:\WINDOWS\system32\yqtonmlh.ini
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b138.exe
C:\WINDOWS\b156.exe_tobedeleted
C:\WINDOWS\system32\hgghfghe.dll
C:\WINDOWS\system32\mrclcsht.dll
C:\WINDOWS\system32\nldpqlao.ini
C:\WINDOWS\system32\pnpdajsb.ini
C:\WINDOWS\system32\yqtonmlh.ini
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 22:43 . 2008-04-21 22:56 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-04-21 22:43 . 2008-04-21 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-04-21 20:12 . 2008-04-21 20:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 18:27 . 2008-04-21 18:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 18:27 . 2008-04-21 18:27 2,548 --a------ C:\WINDOWS\unins000.dat
2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Program Files\Avira
2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-20 21:59 . 2008-04-21 16:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 18:20 . 2008-04-20 18:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-20 18:16 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-20 17:59 . 2008-04-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-20 13:02 . 2008-04-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 13:01 . 2008-04-20 13:01 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-19 22:42 . 2008-04-19 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 22:42 . 2008-04-19 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 22:40 . 2008-04-18 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-18 20:51 . 2008-04-20 18:05 109,811 --a------ C:\WINDOWS\BM6bb7e274.xml
2008-04-17 22:51 . 2008-04-20 10:34 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-12 09:18 . 2008-04-12 09:19 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-10 23:53 . 2008-04-10 23:53 244 --ah----- C:\sqmnoopt13.sqm
2008-04-10 23:53 . 2008-04-10 23:53 232 --ah----- C:\sqmdata13.sqm
2008-04-09 22:44 . 2008-04-09 22:44 244 --ah----- C:\sqmnoopt12.sqm
2008-04-09 22:44 . 2008-04-09 22:44 232 --ah----- C:\sqmdata12.sqm
2008-04-08 23:16 . 2008-04-08 23:16 244 --ah----- C:\sqmnoopt11.sqm
2008-04-08 23:16 . 2008-04-08 23:16 232 --ah----- C:\sqmdata11.sqm
2008-04-07 22:49 . 2008-04-07 22:49 244 --ah----- C:\sqmnoopt10.sqm
2008-04-07 22:49 . 2008-04-07 22:49 232 --ah----- C:\sqmdata10.sqm
2008-03-30 14:12 . 2008-03-30 14:12 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-03-25 20:42 . 2008-03-25 20:43 <DIR> d-------- C:\Program Files\mp3DirectCut
2008-03-25 20:23 . 2008-04-20 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-25 09:42 . 2008-04-12 20:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-23 15:47 . 2008-03-23 15:47 <DIR> d-------- C:\Program Files\LucasArts
2008-03-23 12:55 . 2008-03-23 12:55 <DIR> d-------- C:\Program Files\uTorrent
2008-03-23 12:55 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-03-23 12:43 . 2008-03-23 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-23 12:42 . 2008-03-23 12:54 <DIR> d-------- C:\Program Files\Azureus
2008-03-23 12:42 . 2008-03-23 12:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-03-23 10:35 . 2008-03-23 10:35 244 --ah----- C:\sqmnoopt09.sqm
2008-03-23 10:35 . 2008-03-23 10:35 232 --ah----- C:\sqmdata09.sqm
2008-03-23 01:14 . 2008-03-23 01:14 244 --ah----- C:\sqmnoopt08.sqm
2008-03-23 01:14 . 2008-03-23 01:14 232 --ah----- C:\sqmdata08.sqm
2008-03-22 20:55 . 2003-03-18 21:03 544,768 --a------ C:\WINDOWS\system32\MSVCR71D.DLL
2008-03-22 20:48 . 2003-03-18 22:28 2,179,072 --a------ C:\WINDOWS\system32\MFC71D.DLL
2008-03-22 09:02 . 2008-03-22 09:02 244 --ah----- C:\sqmnoopt07.sqm
2008-03-22 09:02 . 2008-03-22 09:02 232 --ah----- C:\sqmdata07.sqm
2008-03-22 00:14 . 2008-03-22 00:14 244 --ah----- C:\sqmnoopt06.sqm
2008-03-22 00:14 . 2008-03-22 00:14 232 --ah----- C:\sqmdata06.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 13:29 --------- d-----w C:\Program Files\Java
2008-04-21 13:25 --------- d-----w C:\Program Files\Network Associates
2008-04-21 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-04-19 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 20:48 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-04-17 20:54 316,928 ----a-w C:\WINDOWS\Fonts\rar.exe
2008-04-12 21:49 --------- d-----w C:\Program Files\EndItAll
2008-03-28 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-18 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\Adobe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\xcsDd18 ----



((((((((((((((((((((((((((((( [email protected]_23.23.04.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-21 21:18:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 18:14:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4AC5231-62AD-42A5-B012-A5601ED5455F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFNF5"="TFNF5.exe" [2001-09-04 11:29 69632 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
"Tpwrtray"="TPWRTRAY.EXE" [2003-05-08 10:37 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"MSACM.msrt24"= msrt24.acm
"vidc.XVID"= xvid.dll
"msacm.l3codec"= l3codecp.acm
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Terminal Reality\\4x4 Evo2\\4x42.exe"=
"C:\\Program Files\\evo 1\\4x4.Evolution.MYTH\\4x4.exe"=
"C:\\Program Files\\Microsoft Games\\Monster Truck Madness 2\\monster.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 19:53]
R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
R3 SMC2835W_PCI;SMC2835W 2.4GHz 54 Mbps Wireless Cardbus Driver;C:\WINDOWS\system32\DRIVERS\2835WICB.sys [2004-12-14 15:12]
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 17:12]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-18 22:22]
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 09:56]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf1d72-7171-11da-9f5a-806d6172696f}]
\Shell\AutoRun\command - E:\Programs\nu2menu\nu2menu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 18:17:07 C:\WINDOWS\Tasks\Easy Onderhoud.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-04-22 18:17:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 20:18:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-04-22 20:24:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 18:24:04
ComboFix2.txt 2008-04-21 21:24:05

Pre-Run: 19,938,742,272 bytes free
Post-Run: 19,925,504,000 bytes free

189 --- E O F --- 2008-04-19 21:34:34

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.
@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting folders>>log.txt
FOR %%I in (
C:\WINDOWS\system32\xcsDd18) DO (
IF EXIST %%I (
RD /S /Q %%I
IF EXIST %%I (
ECHO %%I not deleted>>log.txt
) ELSE (
ECHO %%I deleted successfully>>log.txt)
) ELSE (
ECHO %%I not found>>log.txt))
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

Maak een nieuwe hijackthislog en post deze.

Deleting folders
C:\WINDOWS\system32\xcsDd18 deleted successfully



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:14:16, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.be/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.phlimburg.be
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134656364634
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA9B54A-F5F5-490B-BD98-6B0E0D21A691}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5702 bytes

Ziet er goed uit.

Sluit alle open vensters.
Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Klik daarna op "Fix checked" en sluit HijackThis af.

Zijn er nog problemen?

Super!! Ik heb geen virusmelding meer gehad en laptopje loopt als een trein
Je (en je collega's hier) bent gewoon geweldig!

Donatie is zéker onderweg.

Nog een vraagje uit nieuwsgierigheid... is het normaal van svchost.exe soms wel tot 5 keer gelijk draait

Graag gedaan en jij ook alvast bedankt voor de donatie.

Ga naar Start - Uitvoeren en tik in: ComboFix /u
Druk op Enter.


Dat is normaal en heeft te maken met het services-verhaal.
Ik quote even wat ik op mijn website heb staan hierover:
Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.

De status van deze thread zet ik op opgelost.
Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk. Dit om het forum netjes en overzichtelijk te houden.
Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.

Happy surfing again.