Mededeling

Collapse
No announcement yet.

Vundo.gen virus wil niet weg

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Vundo.gen virus wil niet weg

    Ik zie dat er reeds een tread bestaat over TR\Vundo .gen maar ik vermoed dat geen 2 problemen hetzelfde zijn dus open ik maar een nieuwe.

    Ik gebruik Avira Antivirus. Ik krijg voortdurend meldingen van Vundo.gen maar Avira weet er blijkbaar geen raad mee...

    Kan iemand even een kijkje nemen naar mijn logfile?
    Alvast bedankt

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:14:11, on 21/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.phlimburg.be
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.be/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {A4AC5231-62AD-42A5-B012-A5601ED5455F} - C:\WINDOWS\system32\hgghfghe.dll
    O2 - BHO: (no name) - {B19B6F31-E9F7-4871-B12A-57171D66FE97} - C:\WINDOWS\system32\ljjgeeff.dll (file missing)
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.phlimburg.be
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134656364634
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA9B54A-F5F5-490B-BD98-6B0E0D21A691}: NameServer = 192.168.1.1
    O20 - Winlogon Notify: hgghfghe - C:\WINDOWS\SYSTEM32\hgghfghe.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    --
    End of file - 5901 bytes
    You need chaos in your soul to give birth to a dancing star...

  • #2
    Hallo,

    Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    O2 - BHO: (no name) - {B19B6F31-E9F7-4871-B12A-57171D66FE97} - C:\WINDOWS\system32\ljjgeeff.dll (file missing)

    Klik daarna op "Fix checked" en sluit HijackThis af.


    Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden
    Volg de instructies die daar gegeven worden. Is er iets niet duidelijk, dan vraag je het.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

    Comment


    • #3
      ComboFix 08-04-20.5 - Administrator 2008-04-21 23:13:26.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.2.1252.31.1033.18.86 [GMT 2:00]
      Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

      WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
      .

      ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\Program Files\Temporary
      C:\WINDOWS\cookies.ini
      C:\WINDOWS\pskt.ini
      C:\WINDOWS\system32\Cache
      C:\WINDOWS\system32\ffeegjjl.ini
      C:\WINDOWS\system32\ffeegjjl.ini2
      C:\WINDOWS\system32\mcrh.tmp
      C:\WINDOWS\system32\pac.txt
      C:\WINDOWS\system32\rqRHwWoL.dll
      C:\WINDOWS\system32\xxyywwut.dll
      C:\WINDOWS\system32\yayyXRLB.dll
      D:\Autorun.inf

      .
      ((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
      .

      2008-04-21 22:43 . 2008-04-21 22:56 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
      2008-04-21 22:43 . 2008-04-21 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
      2008-04-21 20:12 . 2008-04-21 20:12 <DIR> d-------- C:\Program Files\Trend Micro
      2008-04-21 18:27 . 2008-04-21 18:26 691,545 --a------ C:\WINDOWS\unins000.exe
      2008-04-21 18:27 . 2008-04-21 18:27 2,548 --a------ C:\WINDOWS\unins000.dat
      2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Program Files\Avira
      2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
      2008-04-20 22:28 . 2008-04-20 22:28 2,128 --a------ C:\WINDOWS\system32\mrclcsht.dll
      2008-04-20 22:28 . 2008-04-20 22:28 294 ---hs---- C:\WINDOWS\system32\yqtonmlh.ini
      2008-04-20 21:59 . 2008-04-21 16:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
      2008-04-20 18:20 . 2008-04-20 18:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
      2008-04-20 18:16 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
      2008-04-20 17:59 . 2008-04-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
      2008-04-20 16:58 . 2008-04-20 16:58 101 --a------ C:\WINDOWS\wininit.ini
      2008-04-20 13:02 . 2008-04-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
      2008-04-20 13:01 . 2008-04-20 13:01 <DIR> d-------- C:\Program Files\Yahoo!
      2008-04-19 22:42 . 2008-04-19 22:42 <DIR> d-------- C:\Program Files\Lavasoft
      2008-04-19 22:42 . 2008-04-19 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
      2008-04-19 22:13 . 2008-04-20 16:58 1,540,677 ---hs---- C:\WINDOWS\system32\pnpdajsb.ini
      2008-04-18 22:40 . 2008-04-18 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
      2008-04-18 20:51 . 2008-04-18 21:37 1,540,677 ---hs---- C:\WINDOWS\system32\nldpqlao.ini
      2008-04-18 20:51 . 2008-04-20 18:05 109,811 --a------ C:\WINDOWS\BM6bb7e274.xml
      2008-04-17 22:51 . 2008-04-20 10:34 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
      2008-04-17 22:51 . 2008-04-17 22:51 31,232 --a------ C:\WINDOWS\system32\hgghfghe.dll
      2008-04-15 02:43 . 2008-04-14 23:43 74,240 --------- C:\WINDOWS\b156.exe_tobedeleted
      2008-04-12 09:18 . 2008-04-12 09:19 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
      2008-04-11 16:48 . 2008-04-11 13:48 11,264 --a------ C:\WINDOWS\b138.exe
      2008-04-10 23:53 . 2008-04-10 23:53 244 --ah----- C:\sqmnoopt13.sqm
      2008-04-10 23:53 . 2008-04-10 23:53 232 --ah----- C:\sqmdata13.sqm
      2008-04-09 22:44 . 2008-04-09 22:44 244 --ah----- C:\sqmnoopt12.sqm
      2008-04-09 22:44 . 2008-04-09 22:44 232 --ah----- C:\sqmdata12.sqm
      2008-04-08 23:16 . 2008-04-08 23:16 244 --ah----- C:\sqmnoopt11.sqm
      2008-04-08 23:16 . 2008-04-08 23:16 232 --ah----- C:\sqmdata11.sqm
      2008-04-07 22:49 . 2008-04-07 22:49 244 --ah----- C:\sqmnoopt10.sqm
      2008-04-07 22:49 . 2008-04-07 22:49 232 --ah----- C:\sqmdata10.sqm
      2008-03-30 14:12 . 2008-03-30 14:12 <DIR> d-------- C:\Program Files\Free Audio Pack
      2008-03-25 20:42 . 2008-03-25 20:43 <DIR> d-------- C:\Program Files\mp3DirectCut
      2008-03-25 20:23 . 2008-04-20 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
      2008-03-25 09:42 . 2008-04-12 20:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
      2008-03-23 15:47 . 2008-03-23 15:47 <DIR> d-------- C:\Program Files\LucasArts
      2008-03-23 12:55 . 2008-03-23 12:55 <DIR> d-------- C:\Program Files\uTorrent
      2008-03-23 12:55 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
      2008-03-23 12:43 . 2008-03-23 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
      2008-03-23 12:42 . 2008-03-23 12:54 <DIR> d-------- C:\Program Files\Azureus
      2008-03-23 12:42 . 2008-03-23 12:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
      2008-03-23 10:35 . 2008-03-23 10:35 244 --ah----- C:\sqmnoopt09.sqm
      2008-03-23 10:35 . 2008-03-23 10:35 232 --ah----- C:\sqmdata09.sqm
      2008-03-23 01:14 . 2008-03-23 01:14 244 --ah----- C:\sqmnoopt08.sqm
      2008-03-23 01:14 . 2008-03-23 01:14 232 --ah----- C:\sqmdata08.sqm
      2008-03-22 20:55 . 2003-03-18 21:03 544,768 --a------ C:\WINDOWS\system32\MSVCR71D.DLL
      2008-03-22 20:48 . 2003-03-18 22:28 2,179,072 --a------ C:\WINDOWS\system32\MFC71D.DLL
      2008-03-22 09:02 . 2008-03-22 09:02 244 --ah----- C:\sqmnoopt07.sqm
      2008-03-22 09:02 . 2008-03-22 09:02 232 --ah----- C:\sqmdata07.sqm
      2008-03-22 00:14 . 2008-03-22 00:14 244 --ah----- C:\sqmnoopt06.sqm
      2008-03-22 00:14 . 2008-03-22 00:14 232 --ah----- C:\sqmdata06.sqm

      .
      (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-04-21 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
      2008-04-21 13:29 --------- d-----w C:\Program Files\Java
      2008-04-21 13:25 --------- d-----w C:\Program Files\Network Associates
      2008-04-21 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
      2008-04-19 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
      2008-04-18 20:48 --------- d-----w C:\Program Files\TuneUp Utilities 2008
      2008-04-17 20:54 316,928 ----a-w C:\WINDOWS\Fonts\rar.exe
      2008-04-12 21:49 --------- d-----w C:\Program Files\EndItAll
      2008-03-28 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
      2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
      2008-03-18 20:22 307,968 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
      2008-03-18 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
      2008-03-18 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
      2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\Adobe
      2008-02-27 12:15 28,416 ----a-w C:\WINDOWS\system32\uxtuneup.dll
      2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
      2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
      2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
      .

      ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4AC5231-62AD-42A5-B012-A5601ED5455F}]
      2008-04-17 22:51 31232 --a------ C:\WINDOWS\system32\hgghfghe.dll

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
      "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "TFNF5"="TFNF5.exe" [2001-09-04 11:29 69632 C:\WINDOWS\system32\TFNF5.exe]
      "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
      "Tpwrtray"="TPWRTRAY.EXE" [2003-05-08 10:37 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
      "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
      "ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
      "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
      "{A4AC5231-62AD-42A5-B012-A5601ED5455F}"= C:\WINDOWS\system32\hgghfghe.dll [2008-04-17 22:51 31232]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfghe]
      hgghfghe.dll 2008-04-17 22:51 31232 C:\WINDOWS\system32\hgghfghe.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
      "vidc.I420"= i263_32.drv
      "MSACM.msrt24"= msrt24.acm
      "vidc.XVID"= xvid.dll
      "msacm.l3codec"= l3codecp.acm
      "msacm.lameacm"= lameACM.acm
      "vidc.3iv2"= 3ivxVfWCodec.dll
      "msacm.divxa32"= divxa32.acm
      "VIDC.HFYU"= huffyuv.dll
      "VIDC.i263"= i263_32.drv
      "msacm.imc"= imc32.acm
      "VIDC.VP31"= vp31vfw.dll

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
      "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
      "C:\\Program Files\\MSN Messenger\\livecall.exe"=
      "C:\\Program Files\\Terminal Reality\\4x4 Evo2\\4x42.exe"=
      "C:\\Program Files\\evo 1\\4x4.Evolution.MYTH\\4x4.exe"=
      "C:\\Program Files\\Microsoft Games\\Monster Truck Madness 2\\monster.exe"=
      "C:\\WINDOWS\\system32\\java.exe"=
      "C:\\WINDOWS\\system32\\dplaysvr.exe"=
      "C:\\WINDOWS\\system32\\dpnsvr.exe"=
      "C:\\WINDOWS\\system32\\dxdiag.exe"=
      "C:\\Program Files\\uTorrent\\uTorrent.exe"=

      R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 19:53]
      R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
      R3 SMC2835W_PCI;SMC2835W 2.4GHz 54 Mbps Wireless Cardbus Driver;C:\WINDOWS\system32\DRIVERS\2835WICB.sys [2004-12-14 15:12]
      R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 17:12]
      S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-18 22:22]
      S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 09:56]

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
      UxTuneUp

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf1d72-7171-11da-9f5a-806d6172696f}]
      \Shell\AutoRun\command - E:\Programs\nu2menu\nu2menu.exe

      .
      Contents of the 'Scheduled Tasks' folder
      "2008-04-21 21:18:30 C:\WINDOWS\Tasks\Easy Onderhoud.job"
      - C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
      "2008-04-21 21:21:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
      - C:\Program Files\Windows Defender\MpCmdRun.exe
      .
      **************************************************************************

      catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-04-21 23:19:58
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ...

      scanning hidden autostart entries ...

      scanning hidden files ...

      scan completed successfully
      hidden files: 4

      **************************************************************************
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      PROCESS: C:\WINDOWS\system32\winlogon.exe
      -> C:\WINDOWS\system32\hgghfghe.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
      C:\WINDOWS\system32\wdfmgr.exe
      C:\Program Files\Apoint2K\ApntEx.exe
      .
      **************************************************************************
      .
      Completion time: 2008-04-21 23:24:03 - machine was rebooted
      ComboFix-quarantined-files.txt 2008-04-21 21:23:46

      Pre-Run: 20,024,819,712 bytes free
      Post-Run: 19,962,183,680 bytes free

      196 --- E O F --- 2008-04-19 21:34:34

      Hijackthislog

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 23:25:26, on 21/04/2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Windows Defender\MsMpEng.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
      C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\TFNF5.exe
      C:\Program Files\Apoint2K\Apoint.exe
      C:\WINDOWS\system32\TPWRTRAY.EXE
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\WINDOWS\system32\ezSP_Px.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
      C:\Program Files\MSN Messenger\msnmsgr.exe
      C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      C:\Program Files\Apoint2K\Apntex.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.be/
      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
      O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O2 - BHO: (no name) - {A4AC5231-62AD-42A5-B012-A5601ED5455F} - C:\WINDOWS\system32\hgghfghe.dll
      O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
      O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
      O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
      O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
      O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
      O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
      O14 - IERESET.INF: START_PAGE_URL=http://www.phlimburg.be
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
      O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134656364634
      O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA9B54A-F5F5-490B-BD98-6B0E0D21A691}: NameServer = 192.168.1.1
      O20 - Winlogon Notify: hgghfghe - C:\WINDOWS\SYSTEM32\hgghfghe.dll
      O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
      O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

      --
      End of file - 5854 bytes
      You need chaos in your soul to give birth to a dancing star...

      Comment


      • #4
        Open een kladblokbestand.
        Kopieer de ondestaande code, en plak deze in het kladblokbestand.
        Sla het kladblokbestand op als CFScript.txt
        Code:
        File::
        C:\WINDOWS\system32\mrclcsht.dll
        C:\WINDOWS\system32\yqtonmlh.ini
        C:\WINDOWS\wininit.ini
        C:\WINDOWS\system32\pnpdajsb.ini
        C:\WINDOWS\system32\nldpqlao.ini
        C:\WINDOWS\system32\hgghfghe.dll
        C:\WINDOWS\b156.exe_tobedeleted
        C:\WINDOWS\b138.exe
        
        DirLook::
        C:\WINDOWS\system32\xcsDd18
        
        Registry::
        [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4AC5231-62AD-42A5-B012-A5601ED5455F}]
        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
        "{A4AC5231-62AD-42A5-B012-A5601ED5455F}"=-
        [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfghe]
        Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

        ComboFix zal opnieuw starten.
        Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
        Post de inhoud van de logfile.

        Comment


        • #5
          ComboFix 08-04-20.5 - Administrator 2008-04-22 20:10:11.2 - NTFSx86
          Microsoft Windows XP Professional 5.1.2600.2.1252.31.1033.18.60 [GMT 2:00]
          Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
          Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
          * Created a new restore point

          WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

          FILE ::
          C:\WINDOWS\b138.exe
          C:\WINDOWS\b156.exe_tobedeleted
          C:\WINDOWS\system32\hgghfghe.dll
          C:\WINDOWS\system32\mrclcsht.dll
          C:\WINDOWS\system32\nldpqlao.ini
          C:\WINDOWS\system32\pnpdajsb.ini
          C:\WINDOWS\system32\yqtonmlh.ini
          C:\WINDOWS\wininit.ini
          .

          ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          C:\WINDOWS\b138.exe
          C:\WINDOWS\b156.exe_tobedeleted
          C:\WINDOWS\system32\hgghfghe.dll
          C:\WINDOWS\system32\mrclcsht.dll
          C:\WINDOWS\system32\nldpqlao.ini
          C:\WINDOWS\system32\pnpdajsb.ini
          C:\WINDOWS\system32\yqtonmlh.ini
          C:\WINDOWS\wininit.ini

          .
          ((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
          .

          2008-04-21 22:43 . 2008-04-21 22:56 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
          2008-04-21 22:43 . 2008-04-21 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
          2008-04-21 20:12 . 2008-04-21 20:12 <DIR> d-------- C:\Program Files\Trend Micro
          2008-04-21 18:27 . 2008-04-21 18:26 691,545 --a------ C:\WINDOWS\unins000.exe
          2008-04-21 18:27 . 2008-04-21 18:27 2,548 --a------ C:\WINDOWS\unins000.dat
          2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Program Files\Avira
          2008-04-20 22:32 . 2008-04-20 22:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
          2008-04-20 21:59 . 2008-04-21 16:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
          2008-04-20 18:20 . 2008-04-20 18:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
          2008-04-20 18:16 . 2008-04-20 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
          2008-04-20 17:59 . 2008-04-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
          2008-04-20 13:02 . 2008-04-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
          2008-04-20 13:01 . 2008-04-20 13:01 <DIR> d-------- C:\Program Files\Yahoo!
          2008-04-19 22:42 . 2008-04-19 22:42 <DIR> d-------- C:\Program Files\Lavasoft
          2008-04-19 22:42 . 2008-04-19 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
          2008-04-18 22:40 . 2008-04-18 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
          2008-04-18 20:51 . 2008-04-20 18:05 109,811 --a------ C:\WINDOWS\BM6bb7e274.xml
          2008-04-17 22:51 . 2008-04-20 10:34 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
          2008-04-12 09:18 . 2008-04-12 09:19 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
          2008-04-10 23:53 . 2008-04-10 23:53 244 --ah----- C:\sqmnoopt13.sqm
          2008-04-10 23:53 . 2008-04-10 23:53 232 --ah----- C:\sqmdata13.sqm
          2008-04-09 22:44 . 2008-04-09 22:44 244 --ah----- C:\sqmnoopt12.sqm
          2008-04-09 22:44 . 2008-04-09 22:44 232 --ah----- C:\sqmdata12.sqm
          2008-04-08 23:16 . 2008-04-08 23:16 244 --ah----- C:\sqmnoopt11.sqm
          2008-04-08 23:16 . 2008-04-08 23:16 232 --ah----- C:\sqmdata11.sqm
          2008-04-07 22:49 . 2008-04-07 22:49 244 --ah----- C:\sqmnoopt10.sqm
          2008-04-07 22:49 . 2008-04-07 22:49 232 --ah----- C:\sqmdata10.sqm
          2008-03-30 14:12 . 2008-03-30 14:12 <DIR> d-------- C:\Program Files\Free Audio Pack
          2008-03-25 20:42 . 2008-03-25 20:43 <DIR> d-------- C:\Program Files\mp3DirectCut
          2008-03-25 20:23 . 2008-04-20 10:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
          2008-03-25 09:42 . 2008-04-12 20:14 <DIR> d-------- C:\Program Files\Windows Live Safety Center
          2008-03-23 15:47 . 2008-03-23 15:47 <DIR> d-------- C:\Program Files\LucasArts
          2008-03-23 12:55 . 2008-03-23 12:55 <DIR> d-------- C:\Program Files\uTorrent
          2008-03-23 12:55 . 2008-04-17 23:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
          2008-03-23 12:43 . 2008-03-23 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
          2008-03-23 12:42 . 2008-03-23 12:54 <DIR> d-------- C:\Program Files\Azureus
          2008-03-23 12:42 . 2008-03-23 12:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
          2008-03-23 10:35 . 2008-03-23 10:35 244 --ah----- C:\sqmnoopt09.sqm
          2008-03-23 10:35 . 2008-03-23 10:35 232 --ah----- C:\sqmdata09.sqm
          2008-03-23 01:14 . 2008-03-23 01:14 244 --ah----- C:\sqmnoopt08.sqm
          2008-03-23 01:14 . 2008-03-23 01:14 232 --ah----- C:\sqmdata08.sqm
          2008-03-22 20:55 . 2003-03-18 21:03 544,768 --a------ C:\WINDOWS\system32\MSVCR71D.DLL
          2008-03-22 20:48 . 2003-03-18 22:28 2,179,072 --a------ C:\WINDOWS\system32\MFC71D.DLL
          2008-03-22 09:02 . 2008-03-22 09:02 244 --ah----- C:\sqmnoopt07.sqm
          2008-03-22 09:02 . 2008-03-22 09:02 232 --ah----- C:\sqmdata07.sqm
          2008-03-22 00:14 . 2008-03-22 00:14 244 --ah----- C:\sqmnoopt06.sqm
          2008-03-22 00:14 . 2008-03-22 00:14 232 --ah----- C:\sqmdata06.sqm

          .
          (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2008-04-21 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
          2008-04-21 13:29 --------- d-----w C:\Program Files\Java
          2008-04-21 13:25 --------- d-----w C:\Program Files\Network Associates
          2008-04-21 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
          2008-04-19 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
          2008-04-18 20:48 --------- d-----w C:\Program Files\TuneUp Utilities 2008
          2008-04-17 20:54 316,928 ----a-w C:\WINDOWS\Fonts\rar.exe
          2008-04-12 21:49 --------- d-----w C:\Program Files\EndItAll
          2008-03-28 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
          2008-03-18 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TuneUp Software
          2008-03-18 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
          2008-03-02 20:14 --------- d-----w C:\Program Files\Common Files\Adobe
          .

          (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
          .

          ---- Directory of C:\WINDOWS\system32\xcsDd18 ----



          ((((((((((((((((((((((((((((( [email protected]_23.23.04.17 )))))))))))))))))))))))))))))))))))))))))
          .
          - 2008-04-21 21:18:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
          + 2008-04-22 18:14:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
          .
          ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4AC5231-62AD-42A5-B012-A5601ED5455F}]

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
          "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "TFNF5"="TFNF5.exe" [2001-09-04 11:29 69632 C:\WINDOWS\system32\TFNF5.exe]
          "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
          "Tpwrtray"="TPWRTRAY.EXE" [2003-05-08 10:37 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
          "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
          "ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
          "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
          "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
          "vidc.I420"= i263_32.drv
          "MSACM.msrt24"= msrt24.acm
          "vidc.XVID"= xvid.dll
          "msacm.l3codec"= l3codecp.acm
          "msacm.lameacm"= lameACM.acm
          "vidc.3iv2"= 3ivxVfWCodec.dll
          "msacm.divxa32"= divxa32.acm
          "VIDC.HFYU"= huffyuv.dll
          "VIDC.i263"= i263_32.drv
          "msacm.imc"= imc32.acm
          "VIDC.VP31"= vp31vfw.dll

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
          "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "%windir%\\system32\\sessmgr.exe"=
          "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
          "C:\\Program Files\\MSN Messenger\\livecall.exe"=
          "C:\\Program Files\\Terminal Reality\\4x4 Evo2\\4x42.exe"=
          "C:\\Program Files\\evo 1\\4x4.Evolution.MYTH\\4x4.exe"=
          "C:\\Program Files\\Microsoft Games\\Monster Truck Madness 2\\monster.exe"=
          "C:\\WINDOWS\\system32\\java.exe"=
          "C:\\WINDOWS\\system32\\dplaysvr.exe"=
          "C:\\WINDOWS\\system32\\dpnsvr.exe"=
          "C:\\WINDOWS\\system32\\dxdiag.exe"=
          "C:\\Program Files\\uTorrent\\uTorrent.exe"=

          R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 19:53]
          R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:56]
          R3 SMC2835W_PCI;SMC2835W 2.4GHz 54 Mbps Wireless Cardbus Driver;C:\WINDOWS\system32\DRIVERS\2835WICB.sys [2004-12-14 15:12]
          R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 17:12]
          S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-18 22:22]
          S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 09:56]

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
          UxTuneUp

          [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf1d72-7171-11da-9f5a-806d6172696f}]
          \Shell\AutoRun\command - E:\Programs\nu2menu\nu2menu.exe

          .
          Contents of the 'Scheduled Tasks' folder
          "2008-04-22 18:17:07 C:\WINDOWS\Tasks\Easy Onderhoud.job"
          - C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
          "2008-04-22 18:17:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
          - C:\Program Files\Windows Defender\MpCmdRun.exe
          .
          **************************************************************************

          catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2008-04-22 20:18:10
          Windows 5.1.2600 Service Pack 2 NTFS

          scanning hidden processes ...

          scanning hidden autostart entries ...

          scanning hidden files ...

          scan completed successfully
          hidden files: 4

          **************************************************************************
          .
          ------------------------ Other Running Processes ------------------------
          .
          C:\Program Files\Windows Defender\MsMpEng.exe
          C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
          C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
          C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
          C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
          C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
          C:\WINDOWS\system32\wdfmgr.exe
          C:\Program Files\Apoint2K\ApntEx.exe
          .
          **************************************************************************
          .
          Completion time: 2008-04-22 20:24:20 - machine was rebooted
          ComboFix-quarantined-files.txt 2008-04-22 18:24:04
          ComboFix2.txt 2008-04-21 21:24:05

          Pre-Run: 19,938,742,272 bytes free
          Post-Run: 19,925,504,000 bytes free

          189 --- E O F --- 2008-04-19 21:34:34
          You need chaos in your soul to give birth to a dancing star...

          Comment


          • #6
            Open een kladblokbestand.
            Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.
            @ECHO OFF
            IF EXIST log.txt DEL log.txt
            ECHO Deleting folders>>log.txt
            FOR %%I in (
            C:\WINDOWS\system32\xcsDd18) DO (
            IF EXIST %%I (
            RD /S /Q %%I
            IF EXIST %%I (
            ECHO %%I not deleted>>log.txt
            ) ELSE (
            ECHO %%I deleted successfully>>log.txt)
            ) ELSE (
            ECHO %%I not found>>log.txt))
            START NOTEPAD.EXE log.txt

            Ga naar Bestand - Opslaan als.
            Bij "Opslaan in" kies je: Bureaublad
            Bij "Bestandsnaam" zet je: del.bat
            Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
            Klik op de knop Opslaan.

            Dubbelklik op del.bat en post de inhoud van de logfile die opent.

            Maak een nieuwe hijackthislog en post deze.

            Comment


            • #7
              Deleting folders
              C:\WINDOWS\system32\xcsDd18 deleted successfully



              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 22:14:16, on 22/04/2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\Program Files\Windows Defender\MsMpEng.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
              C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
              C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
              C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
              C:\WINDOWS\system32\TFNF5.exe
              C:\Program Files\Apoint2K\Apoint.exe
              C:\WINDOWS\system32\TPWRTRAY.EXE
              C:\Program Files\Windows Defender\MSASCui.exe
              C:\WINDOWS\system32\ezSP_Px.exe
              C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
              C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
              C:\Program Files\MSN Messenger\msnmsgr.exe
              C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
              C:\Program Files\Apoint2K\Apntex.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\explorer.exe
              C:\Program Files\Mozilla Firefox\firefox.exe
              C:\WINDOWS\system32\notepad.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.be/
              R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
              O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
              O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
              O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
              O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
              O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
              O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
              O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
              O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
              O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
              O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
              O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
              O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
              O14 - IERESET.INF: START_PAGE_URL=http://www.phlimburg.be
              O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134656364634
              O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
              O17 - HKLM\System\CCS\Services\Tcpip\..\{ACA9B54A-F5F5-490B-BD98-6B0E0D21A691}: NameServer = 192.168.1.1
              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
              O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
              O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
              O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
              O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

              --
              End of file - 5702 bytes
              You need chaos in your soul to give birth to a dancing star...

              Comment


              • #8
                Ziet er goed uit.

                Sluit alle open vensters.
                Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

                R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

                Klik daarna op "Fix checked" en sluit HijackThis af.

                Zijn er nog problemen?

                Comment


                • #9
                  Super!! Ik heb geen virusmelding meer gehad en laptopje loopt als een trein
                  Je (en je collega's hier) bent gewoon geweldig!

                  Donatie is zéker onderweg.

                  Nog een vraagje uit nieuwsgierigheid... is het normaal van svchost.exe soms wel tot 5 keer gelijk draait
                  You need chaos in your soul to give birth to a dancing star...

                  Comment


                  • #10
                    Graag gedaan en jij ook alvast bedankt voor de donatie.

                    Ga naar Start - Uitvoeren en tik in: ComboFix /u
                    Druk op Enter.


                    Dat is normaal en heeft te maken met het services-verhaal.
                    Ik quote even wat ik op mijn website heb staan hierover:
                    Wanneer een service gestart wordt door svchost.exe, zal deze service in een bepaalde service-groep geplaatst worden. Deze service-groep wordt dan gestart door svchost.exe. Een overzicht van deze groepen en de services die er mee opgestart worden vind je in de volgende registersleutel:
                    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
                    In deze registersleutel vind je de verschillende groepen: DComLaunch, LocalServices, netsvcs,…enz.
                    Elke groep bevat meerdere services die allen gestart worden wanneer de groep geladen wordt door svchost.exe.
                    De groep LocalService bevat oa de volgende services: Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
                    De groep LocalServices wordt geladen door het commando: svchost.exe -k LocalService.
                    De groep DComLaunch wordt geladen door het commando: svchost -k DComLaunch
                    De groep netsvcs wordt geladen door het commando: svchost.exe -k netsvcs

                    Het commando svchost.exe -k LocalService laadt alle services die zich in de groep LocalService bevinden en dit verschijnt in de processenlijst als één proces svchost.exe. Voor elke groep die geladen wordt door svchost.exe, verschijnt er ook een svchost.exe in de processenlijst. Dit is meteen ook de verklaring waarom svchost.exe meerdere keren kan voorkomen in de processenlijst.
                    Onder Windows XP / Windows Vista kan je met behulp van het commando tasklist /SVC in een dosbox (start - uitvoeren - cmd) zien welke services er door elke svchost.exe geladen worden.
                    Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.

                    De status van deze thread zet ik op opgelost.
                    Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk. Dit om het forum netjes en overzichtelijk te houden.
                    Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.

                    Happy surfing again.

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X