Mededeling

**smeenk** · 28-04-08, 23:37

Download VirtumundoBegone (mirror)
Sla dit op op je bureaublad.

Dubbelklik op VirtumundoBeGone.exe en volg de aanwijzingen.
Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.
Als de fix klaar is, start je de pc opnieuw op.
Plaats de inhoud van het logbestand VBG.TXT, dat nu op je bureaublad staat, hier in je volgende bericht.

Download: RVAXO.exe

Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
Start de computer in veilige modus.
Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
Daarna zal je PC herstarten, laat hem nu weer in normale modus starten. Na de herstart opent het cmd-venster van RVAXO opnieuw.
Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
Post de inhoud van de logfile in je volgende bericht.

Download Deckard's System Scanner naar je Bureaublad.

Sluit alle toepassingen en vensters.
Dubbelklik op dss.exe om het te activeren, en volg de aanwijzingen.
Wanneer de scan volledig is, zal een tekstbestand - main.txt - openen.
Kopiëer (Ctrl+A gevolgd door Ctrl+C) en plak (Ctrl+V) de inhoud van main.txt in je volgende antwoord.

Opmerking: Sommige firewalls kunnen waarschuwen dat sigcheck.exe probeert verbinding te maken met het internet
- zorg dat sigcheck.exe toestemming krijgt om dit te doen !
Tevens kan het gebeuren dat je Antivirus DSS als verdacht aangeeft, of zelfs probeert te verwijderen.
Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de scan van DSS je Antivirus even uit te schakelen)

**Nanda** · 29-04-08, 21:52

log van VBG

[04/29/2008, 21:27:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Nanda en Eddie\Bureaublad\VirtumundoBeGone.exe" )
[04/29/2008, 21:27:41] - Detected System Information:
[04/29/2008, 21:27:41] - Windows Version: 5.1.2600, Service Pack 2
[04/29/2008, 21:27:41] - Current Username: Nanda en Eddie (Admin)
[04/29/2008, 21:27:41] - Windows is in NORMAL mode.
[04/29/2008, 21:27:41] - Searching for Browser Helper Objects:
[04/29/2008, 21:27:41] - BHO 1: {06C9FDD6-74D0-418A-BD70-0E2EABFE3E3A} ()
[04/29/2008, 21:27:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:41] - Checking for HKLM\...\Winlogon\Notify\byXOhEwT
[04/29/2008, 21:27:41] - Key not found: HKLM\...\Winlogon\Notify\byXOhEwT, continuing.
[04/29/2008, 21:27:41] - BHO 2: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/29/2008, 21:27:41] - BHO 3: {626da20f-c21a-42fa-993e-cd76a48d9dfb} ()
[04/29/2008, 21:27:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:41] - Checking for HKLM\...\Winlogon\Notify\kruvasys
[04/29/2008, 21:27:41] - Key not found: HKLM\...\Winlogon\Notify\kruvasys, continuing.
[04/29/2008, 21:27:41] - BHO 4: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} ()
[04/29/2008, 21:27:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:41] - Checking for HKLM\...\Winlogon\Notify\khfFYRjk
[04/29/2008, 21:27:41] - Found: HKLM\...\Winlogon\Notify\khfFYRjk - This is probably Virtumundo.
[04/29/2008, 21:27:41] - Assigning {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} MSEvents Object
[04/29/2008, 21:27:41] - BHO list has been changed! Starting over...
[04/29/2008, 21:27:41] - BHO 1: {06C9FDD6-74D0-418A-BD70-0E2EABFE3E3A} ()
[04/29/2008, 21:27:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:41] - Checking for HKLM\...\Winlogon\Notify\byXOhEwT
[04/29/2008, 21:27:41] - Key not found: HKLM\...\Winlogon\Notify\byXOhEwT, continuing.
[04/29/2008, 21:27:41] - BHO 2: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/29/2008, 21:27:41] - BHO 3: {626da20f-c21a-42fa-993e-cd76a48d9dfb} ()
[04/29/2008, 21:27:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:41] - Checking for HKLM\...\Winlogon\Notify\kruvasys
[04/29/2008, 21:27:41] - Key not found: HKLM\...\Winlogon\Notify\kruvasys, continuing.
[04/29/2008, 21:27:41] - BHO 4: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} (MSEvents Object)
[04/29/2008, 21:27:41] - ALERT: Found MSEvents Object!
[04/29/2008, 21:27:41] - Finished Searching Browser Helper Objects
[04/29/2008, 21:27:41] - *** Detected MSEvents Object
[04/29/2008, 21:27:41] - Trying to remove MSEvents Object...
[04/29/2008, 21:27:42] - Terminating Process: IEXPLORE.EXE
[04/29/2008, 21:27:42] - Terminating Process: RUNDLL32.EXE
[04/29/2008, 21:27:43] - Disabling Automatic Shell Restart
[04/29/2008, 21:27:43] - Terminating Process: EXPLORER.EXE
[04/29/2008, 21:27:43] - Suspending the NT Session Manager System Service
[04/29/2008, 21:27:43] - Terminating Windows NT Logon/Logoff Manager
[04/29/2008, 21:27:44] - Re-enabling Automatic Shell Restart
[04/29/2008, 21:27:44] - File to disable: C:\WINDOWS\system32\khfFYRjk.dll
[04/29/2008, 21:27:44] - Renaming C:\WINDOWS\system32\khfFYRjk.dll -> C:\WINDOWS\system32\khfFYRjk.dll.vir
[04/29/2008, 21:27:44] - File successfully renamed!
[04/29/2008, 21:27:44] - Removing HKLM\...\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/29/2008, 21:27:44] - Removing HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/29/2008, 21:27:44] - Adding Kill Bit for ActiveX for GUID: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/29/2008, 21:27:44] - Deleting ATLEvents/MSEvents Registry entries
[04/29/2008, 21:27:44] - Removing HKLM\...\Winlogon\Notify\khfFYRjk
[04/29/2008, 21:27:44] - Searching for Browser Helper Objects:
[04/29/2008, 21:27:44] - BHO 1: {06C9FDD6-74D0-418A-BD70-0E2EABFE3E3A} ()
[04/29/2008, 21:27:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:44] - Checking for HKLM\...\Winlogon\Notify\byXOhEwT
[04/29/2008, 21:27:44] - Key not found: HKLM\...\Winlogon\Notify\byXOhEwT, continuing.
[04/29/2008, 21:27:44] - BHO 2: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/29/2008, 21:27:44] - BHO 3: {626da20f-c21a-42fa-993e-cd76a48d9dfb} ()
[04/29/2008, 21:27:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/29/2008, 21:27:44] - Checking for HKLM\...\Winlogon\Notify\kruvasys
[04/29/2008, 21:27:44] - Key not found: HKLM\...\Winlogon\Notify\kruvasys, continuing.
[04/29/2008, 21:27:44] - Finished Searching Browser Helper Objects
[04/29/2008, 21:27:44] - Finishing up...
[04/29/2008, 21:27:44] - A restart is needed.
[04/29/2008, 21:27:54] - Attempting to Restart via STOP error (Blue Screen!)

**Nanda** · 29-04-08, 21:53

RVAXO log

---RVAXO.exe Updated: 2008-04-29---first run---
Uninstallers:

Files found:
C:\WINDOWS\system32\khfFYRjk.dll.vir
C:\WINDOWS\BM9feee4ac.xml
C:\WINDOWS\BM9feee4ac.txt
C:\WINDOWS\system32\TwEhOXyb.ini2
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\pcntkkdn.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\Prefetch\MROFINU.EXE-27CE430A.pf
C:\WINDOWS\system32\pac.txt

Folders Found:
C:\Program Files\CPV
C:\Program Files\Svconr
C:\WINDOWS\system32\ve2
C:\WINDOWS\system32\p7
C:\WINDOWS\system32\n4
C:\WINDOWS\system32\pnVes18
C:\Program Files\Temporary
C:\Temp\1cb

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:

--------------RVAXO.exe finished----------------

**Nanda** · 29-04-08, 21:54

DDS log

Deckard's System Scanner v20071014.68
Run by Nanda en Eddie on 2008-04-29 21:41:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-04-29 19:41:23 UTC - RP1 - Controlepunt van systeem

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Nanda en Eddie.exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-29 21:45:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Nanda en Eddie\Bureaublad\dss.exe
C:\Program Files\Trend Micro\HijackThis\Nanda en Eddie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: {2f07eb29-17fe-fac8-9de4-06d477613c21} - {12c31677-4d60-4ed9-8caf-ef7192be70f2} - C:\WINDOWS\system32\hpqcmokr.dll
O2 - BHO: (no name) - {75EAE522-A40B-4EE3-8923-F3E48B987601} - C:\WINDOWS\system32\byXOhEwT.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{DD-D7-79-9F-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [9cddd730] rundll32.exe "C:\WINDOWS\system32\ucneextv.dll",b
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM9feee4ac] Rundll32.exe "C:\WINDOWS\system32\wwvwwmkr.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntkkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 {nl_NL} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5892 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbord
Device ID: ACPI\PNP0303\4&268D196D&0
Manufacturer: (standaardtoetsenbord)
Name: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbord
PNP Device ID: ACPI\PNP0303\4&268D196D&0
Service: i8042prt

-- Files created between 2008-03-29 and 2008-04-29 -----------------------------

2008-04-29 21:42:10 0 d-------- C:\Program Files\Trend Micro
2008-04-29 21:40:10 210135 --ahs---- C:\WINDOWS\system32\TwEhOXyb.ini2
2008-04-29 21:40:07 97856 --a------ C:\WINDOWS\system32\ucneextv.dll
2008-04-29 21:40:04 49202 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-04-29 21:37:18 0 d-------- C:\RVAXO
2008-04-29 21:34:38 809270 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-04-29 21:34:38 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-04-29 21:34:25 107072 --a------ C:\WINDOWS\system32\hpqcmokr.dll
2008-04-29 21:29:23 104512 --a------ C:\WINDOWS\system32\wwvwwmkr.dll
2008-04-28 22:40:33 0 d-------- C:\Program Files\Panda Security
2008-04-28 22:36:22 0 d-------- C:\Program Files\Lavasoft
2008-04-28 22:36:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-28 22:35:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 22:11:56 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-28 21:31:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 21:31:25 0 d-------- C:\Program Files\Spyware Doctor
2008-04-28 21:31:25 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\PC Tools
2008-04-28 18:10:47 0 d---s---- C:\Documents and Settings\Nanda en Eddie\UserData
2008-04-28 17:59:12 95296 --a------ C:\WINDOWS\system32\avomllql.dll
2008-04-28 16:47:21 108608 --a------ C:\WINDOWS\system32\kruvasys.dll
2008-04-28 16:47:14 104000 --a------ C:\WINDOWS\system32\eafkfnqs.dll
2008-04-27 23:09:25 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-27 23:02:20 49188 --a------ C:\WINDOWS\system32\jjwnw64o.exe <Not Verified; ; Browser Driver>
2008-04-27 21:02:54 0 d-------- C:\Program Files\QuickTime
2008-04-27 20:39:30 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Macromedia
2008-04-27 20:15:05 0 d-------- C:\Program Files\Bonjour
2008-04-27 20:06:18 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-27 19:54:41 401521 --a------ C:\WINDOWS\system32\g14.exe
2008-04-27 19:54:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-04-27 19:54:23 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-04-27 19:54:23 0 d--hs---- C:\WINDOWS\U3RhbQ
2008-04-27 19:52:36 281600 --a------ C:\WINDOWS\system32\byXOhEwT.dll
2008-04-27 19:52:34 0 d-------- C:\Temp
2008-04-17 13:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-17 13:24:33 0 d-------- C:\WINDOWS\Cache
2008-04-15 15:18:48 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Adobe
2008-04-15 15:17:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-15 15:14:35 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-14 22:58:37 0 d--hs---- C:\WINDOWS\Installer
2008-04-14 22:58:35 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-14 22:58:32 0 dr------- C:\Program Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Sjablonen
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Onlangs geopend
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Netwerkprinteromgeving
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Mijn documenten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\Default User\Menu Start
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Favorieten
2008-04-14 22:58:04 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Bureaublad
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\All Users\Sjablonen
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Menu Start
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Favorieten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Documenten
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Bureaublad
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-14 22:57:44 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-14 22:57:44 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-14 22:57:43 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-14 22:57:43 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-14 22:57:04 0 d-------- C:\Documents and Settings
2008-04-14 22:57:03 0 d--hs---- C:\System Volume Information
2008-04-14 22:48:23 0 d-------- C:\WINDOWS
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\WinSxS
2008-04-14 22:48:23 0 dr------- C:\WINDOWS\Web
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\twain_32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wins
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wbem
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\usmt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\spool
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\Setup
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ras
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\oobe
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\npp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\IME
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ias
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\export
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-14 22:48:23 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3076
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\2052
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1054
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1043
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1042
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1041
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1037
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1033
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1031
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1028
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1025
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\security
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Resources
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\repair
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Provisioning
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\PeerNet
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\pchealth
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msapps
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msagent
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Media
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\java
2008-04-14 22:48:23 0 d--h----- C:\WINDOWS\inf
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ime
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Help
2008-04-14 22:48:23 0 dr--s---- C:\WINDOWS\Fonts
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ehome
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Driver Cache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Debug
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Cursors
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\AppPatch
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\addins
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Sjablonen
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\SendTo
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Onlangs geopend
2008-04-14 21:36:06 1310720 --ah----- C:\Documents and Settings\Nanda en Eddie\NTUSER.DAT
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Netwerkprinteromgeving
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\NetHood
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Mijn documenten
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Menu Start
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Local Settings
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Favorieten
2008-04-14 21:36:06 0 d---s---- C:\Documents and Settings\Nanda en Eddie\Cookies
2008-04-14 21:36:06 0 d-------- C:\Documents and Settings\Nanda en Eddie\Bureaublad
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Application Data
2008-04-14 21:19:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-14 21:19:20 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 21:19:19 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 21:19:18 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 21:19:18 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 21:19:18 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 21:19:09 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 21:19:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 21:19:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 21:14:27 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 21:14:27 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 21:14:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 21:13:59 0 -rahs---- C:\MSDOS.SYS
2008-04-14 21:13:59 0 -rahs---- C:\IO.SYS
2008-04-14 21:13:59 0 --a------ C:\CONFIG.SYS
2008-04-14 21:13:59 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 21:12:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 21:12:31 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-14 21:12:31 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 21:12:16 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 21:12:11 0 d-------- C:\Program Files\Online Services
2008-04-14 21:11:53 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 21:11:24 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 21:11:24 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\srchasst
2008-04-14 21:11:13 0 d-------- C:\Program Files\Movie Maker
2008-04-14 21:11:06 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 21:10:13 21748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 21:09:54 0 d-------- C:\WINDOWS\Registration
2008-04-14 21:09:39 0 d-------- C:\Program Files\Messenger
2008-04-14 21:09:36 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 21:09:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 21:09:08 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 21:09:07 0 d-------- C:\WINDOWS\system32\Com

-- Find3M Report ---------------------------------------------------------------

2008-04-28 21:32:59 364638 --a------ C:\WINDOWS\system32\perfh013.dat
2008-04-28 21:32:59 53534 --a------ C:\WINDOWS\system32\perfc013.dat
2008-04-14 22:58:04 62 --ahs---- C:\Documents and Settings\Nanda en Eddie\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12c31677-4d60-4ed9-8caf-ef7192be70f2}]
29-04-2008 21:34 107072 --a------ C:\WINDOWS\system32\hpqcmokr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75EAE522-A40B-4EE3-8923-F3E48B987601}]
27-04-2008 19:52 281600 --a------ C:\WINDOWS\system32\byXOhEwT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{DD-D7-79-9F-DW}"="c:\windows\system32\rwwnw64d.exe" [29-04-2008 21:40]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22-10-2006 23:24]
"@"=""

"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20-03-2007 16:40]
"9cddd730"="C:\WINDOWS\system32\ucneextv.dll" [29-04-2008 21:40]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01-02-2008 11:55]
"BM9feee4ac"="C:\WINDOWS\system32\wwvwwmkr.dll" [29-04-2008 21:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 14:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOhEwT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe776f75-0aed-11dd-80c1-0002b34c5b28}]
Auto\command- F:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

-- End of Deckard's System Scanner: finished at 2008-04-29 21:48:56 ------------

**Nanda** · 29-04-08, 21:57

alvast bedankt voor het kijken!

**smeenk** · 29-04-08, 23:23

Download The Avenger en pak het programma uit op je bureaublad.
Open de map avenger en start het programma door op avenger.exe te dubbelklikken.
In het venster Input Script here, kopieer en plak je onderstaande dikgedrukte tekst:

Folders to delete:
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\U3RhbQ

Files to delete:
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\byXOhEwT.dll
C:\WINDOWS\system32\TwEhOXyb.ini
C:\WINDOWS\system32\TwEhOXyb.ini2
C:\WINDOWS\system32\ucneextv.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\hpqcmokr.dll
C:\WINDOWS\system32\wwvwwmkr.dll
C:\WINDOWS\system32\avomllql.dll
C:\WINDOWS\system32\kruvasys.dll
C:\WINDOWS\system32\eafkfnqs.dll
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\jjwnw64o.exe
C:\WINDOWS\system32\g14.exe

Klik daarna op de knop Execute.
The Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
Na reboot opent een logfile (avenger.txt). Post de inhoud van deze logfile met een nieuw logje van Hijackthis

**Nanda** · 30-04-08, 12:34

avenger.txt

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\LocalService\Application Data\NetMon" deleted successfully.
Folder "C:\WINDOWS\U3RhbQ" deleted successfully.
File "C:\WINDOWS\uninstall_nmon.vbs" deleted successfully.
File "C:\WINDOWS\system32\byXOhEwT.dll" deleted successfully.
File "C:\WINDOWS\system32\TwEhOXyb.ini" deleted successfully.
File "C:\WINDOWS\system32\TwEhOXyb.ini2" deleted successfully.
File "C:\WINDOWS\system32\ucneextv.dll" deleted successfully.
File "C:\WINDOWS\system32\rwwnw64d.exe" deleted successfully.
File "C:\WINDOWS\system32\hpqcmokr.dll" deleted successfully.
File "C:\WINDOWS\system32\wwvwwmkr.dll" deleted successfully.
File "C:\WINDOWS\system32\avomllql.dll" deleted successfully.
File "C:\WINDOWS\system32\kruvasys.dll" deleted successfully.
File "C:\WINDOWS\system32\eafkfnqs.dll" deleted successfully.
File "C:\WINDOWS\system32\d3d9caps.dat" deleted successfully.
File "C:\WINDOWS\system32\jjwnw64o.exe" deleted successfully.
File "C:\WINDOWS\system32\g14.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

**smeenk** · 30-04-08, 13:15

Post maar even een nieuw logje van Deckard's System Scanner

**Nanda** · 30-04-08, 13:56

dss log

Probleem lijkt opgelost

, hier nog wel de log. (kan ik dit zelfde doen bij mijn laptop? Zelfde probleem (inclusief zelfde popups etc).

Deckard's System Scanner v20071014.68
Run by Nanda en Eddie on 2008-04-30 13:47:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Nanda en Eddie.exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-30 13:52:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\pcntkkdn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nanda en Eddie\Bureaublad\dss.exe
C:\Program Files\Trend Micro\HijackThis\Nanda en Eddie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: {2f07eb29-17fe-fac8-9de4-06d477613c21} - {12c31677-4d60-4ed9-8caf-ef7192be70f2} - C:\WINDOWS\system32\hpqcmokr.dll (file missing)
O2 - BHO: (no name) - {4CA5CD54-C5F1-4F3A-8E61-4FDAC9701A4D} - C:\WINDOWS\system32\byXOhEwT.dll (file missing)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\system32\myss_sb.dll
O2 - BHO: gooochi browser optimizer - {bbbaec48-969d-eeba-b4e1-f695c630b702} - C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{DD-D7-79-9F-DW}] c:\windows\system32\jjwnw64o.exe DWram
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [9cddd730] rundll32.exe "C:\WINDOWS\system32\ucneextv.dll",b
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntkkdn.exe DWram
O4 - HKLM\..\Run: [BM9feee4ac] Rundll32.exe "C:\WINDOWS\system32\wwvwwmkr.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntkkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jjwnw64o.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 {nl_NL} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7421 bytes

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 13:03:36 0 d-------- C:\Program Files\Canon
2008-04-30 13:03:33 0 d-------- C:\Program Files\Common Files\Canon
2008-04-30 12:56:11 0 d-------- C:\WINDOWS\ShellNew
2008-04-30 12:51:26 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Hewlett-Packard
2008-04-30 12:48:40 0 d-------- C:\WINDOWS\LastGood
2008-04-30 12:48:25 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-30 12:47:03 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-30 12:46:12 16606 -----n--- C:\WINDOWS\hpomdl01.dat
2008-04-30 12:46:12 19575 --a------ C:\WINDOWS\hpoins01.dat
2008-04-30 12:14:19 89070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-30 12:13:36 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-30 12:13:31 298313 --a------ C:\WINDOWS\system32\gside.exe
2008-04-29 21:50:14 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-29 21:50:09 200765 --a------ C:\WINDOWS\system32\pcntkkdn.exe
2008-04-29 21:42:10 0 d-------- C:\Program Files\Trend Micro
2008-04-29 21:37:18 0 d-------- C:\RVAXO
2008-04-29 21:34:38 809270 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-04-29 21:34:38 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-04-28 22:40:33 0 d-------- C:\Program Files\Panda Security
2008-04-28 22:36:22 0 d-------- C:\Program Files\Lavasoft
2008-04-28 22:36:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-28 22:35:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 22:11:56 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-28 21:31:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 21:31:25 0 d-------- C:\Program Files\Spyware Doctor
2008-04-28 21:31:25 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\PC Tools
2008-04-28 18:10:47 0 d---s---- C:\Documents and Settings\Nanda en Eddie\UserData
2008-04-27 21:02:54 0 d-------- C:\Program Files\QuickTime
2008-04-27 20:39:30 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Macromedia
2008-04-27 20:15:05 0 d-------- C:\Program Files\Bonjour
2008-04-27 20:06:18 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-27 19:52:34 0 d-------- C:\Temp
2008-04-17 13:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-17 13:24:33 0 d-------- C:\WINDOWS\Cache
2008-04-15 15:18:48 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Adobe
2008-04-15 15:17:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-15 15:14:35 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-14 22:58:37 0 d--hs---- C:\WINDOWS\Installer
2008-04-14 22:58:35 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-14 22:58:32 0 dr------- C:\Program Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Sjablonen
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Onlangs geopend
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Netwerkprinteromgeving
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Mijn documenten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\Default User\Menu Start
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Favorieten
2008-04-14 22:58:04 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Bureaublad
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\All Users\Sjablonen
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Menu Start
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Favorieten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Documenten
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Bureaublad
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-14 22:57:44 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-14 22:57:44 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-14 22:57:43 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-14 22:57:43 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-14 22:57:04 0 d-------- C:\Documents and Settings
2008-04-14 22:57:03 0 d--hs---- C:\System Volume Information
2008-04-14 22:48:23 0 d-------- C:\WINDOWS
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\WinSxS
2008-04-14 22:48:23 0 dr------- C:\WINDOWS\Web
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\twain_32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wins
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wbem
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\usmt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\spool
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\Setup
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ras
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\oobe
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\npp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\IME
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ias
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\export
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-14 22:48:23 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3076
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\2052
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1054
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1043
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1042
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1041
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1037
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1033
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1031
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1028
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1025
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\security
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Resources
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\repair
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Provisioning
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\PeerNet
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\pchealth
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msapps
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msagent
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Media
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\java
2008-04-14 22:48:23 0 d--h----- C:\WINDOWS\inf
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ime
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Help
2008-04-14 22:48:23 0 dr--s---- C:\WINDOWS\Fonts
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ehome
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Driver Cache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Debug
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Cursors
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\AppPatch
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\addins
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Sjablonen
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\SendTo
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Onlangs geopend
2008-04-14 21:36:06 1572864 --ah----- C:\Documents and Settings\Nanda en Eddie\NTUSER.DAT
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Netwerkprinteromgeving
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\NetHood
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Mijn documenten
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Menu Start
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Local Settings
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Favorieten
2008-04-14 21:36:06 0 d---s---- C:\Documents and Settings\Nanda en Eddie\Cookies
2008-04-14 21:36:06 0 d-------- C:\Documents and Settings\Nanda en Eddie\Bureaublad
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Application Data
2008-04-14 21:19:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-14 21:19:20 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 21:19:19 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 21:19:18 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 21:19:18 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 21:19:18 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 21:19:09 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 21:19:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 21:19:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 21:14:27 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 21:14:27 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 21:14:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 21:13:59 0 -rahs---- C:\MSDOS.SYS
2008-04-14 21:13:59 0 -rahs---- C:\IO.SYS
2008-04-14 21:13:59 0 --a------ C:\CONFIG.SYS
2008-04-14 21:13:59 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 21:12:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 21:12:31 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-14 21:12:31 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 21:12:16 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 21:12:11 0 d-------- C:\Program Files\Online Services
2008-04-14 21:11:53 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 21:11:24 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 21:11:24 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\srchasst
2008-04-14 21:11:13 0 d-------- C:\Program Files\Movie Maker
2008-04-14 21:11:06 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 21:10:13 21748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 21:09:54 0 d-------- C:\WINDOWS\Registration
2008-04-14 21:09:39 0 d-------- C:\Program Files\Messenger
2008-04-14 21:09:36 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 21:09:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 21:09:08 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 21:09:07 0 d-------- C:\WINDOWS\system32\Com
2008-04-11 17:46:26 334848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-07 18:17:58 330240 --a------ C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-28 21:32:59 364638 --a------ C:\WINDOWS\system32\perfh013.dat
2008-04-28 21:32:59 53534 --a------ C:\WINDOWS\system32\perfc013.dat
2008-04-14 22:58:04 62 --ahs---- C:\Documents and Settings\Nanda en Eddie\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12c31677-4d60-4ed9-8caf-ef7192be70f2}]
C:\WINDOWS\system32\hpqcmokr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CA5CD54-C5F1-4F3A-8E61-4FDAC9701A4D}]
C:\WINDOWS\system32\byXOhEwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]
11-04-2008 17:46 334848 --a------ C:\WINDOWS\system32\myss_sb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bbbaec48-969d-eeba-b4e1-f695c630b702}]
07-04-2008 18:17 330240 --a------ C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{DD-D7-79-9F-DW}"="c:\windows\system32\jjwnw64o.exe"

"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22-10-2006 23:24]
"@"=""

"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20-03-2007 16:40]
"9cddd730"="C:\WINDOWS\system32\ucneextv.dll"

"spa_start"="C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll" [07-04-2008 18:17]
"ExploreUpdSched"="C:\WINDOWS\system32\pcntkkdn.exe" [29-04-2008 21:50]
"BM9feee4ac"="C:\WINDOWS\system32\wwvwwmkr.dll"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 14:00]

C:\Documents and Settings\Nanda en Eddie\Menu Start\Programma's\Opstarten\
Deewoo.lnk - C:\WINDOWS\system32\pcntkkdn.exe [29-4-2008 21:50:09]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOhEwT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe776f75-0aed-11dd-80c1-0002b34c5b28}]
Auto\command- F:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - MDM
*Newly Created Service* - PML_DRIVER_HPZ12

-- End of Deckard's System Scanner: finished at 2008-04-30 13:53:29 ------------

**smeenk** · 30-04-08, 14:20

Start Hijackthis en vink alleen de volgende regels aan:
O2 - BHO: {2f07eb29-17fe-fac8-9de4-06d477613c21} - {12c31677-4d60-4ed9-8caf-ef7192be70f2} - C:\WINDOWS\system32\hpqcmokr.dll (file missing)
O2 - BHO: (no name) - {4CA5CD54-C5F1-4F3A-8E61-4FDAC9701A4D} - C:\WINDOWS\system32\byXOhEwT.dll (file missing)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\system32\myss_sb.dll
O2 - BHO: gooochi browser optimizer - {bbbaec48-969d-eeba-b4e1-f695c630b702} - C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll
O4 - HKLM\..\Run: [{DD-D7-79-9F-DW}] c:\windows\system32\jjwnw64o.exe DWram
O4 - HKLM\..\Run: [9cddd730] rundll32.exe "C:\WINDOWS\system32\ucneextv.dll",b
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntkkdn.exe DWram
O4 - HKLM\..\Run: [BM9feee4ac] Rundll32.exe "C:\WINDOWS\system32\wwvwwmkr.dll",s
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntkkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jjwnw64o.exe
Sluit alle openstaande vensters(behalve Hijackthis) en klik op "Fix checked".

Herstart je computer.

Post na de herstart een nieuw logje van Deckard's System Scanner.

**Nanda** · 30-04-08, 15:09

log dss

Deckard's System Scanner v20071014.68
Run by Nanda en Eddie on 2008-04-30 15:07:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Nanda en Eddie.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:42, on 30-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Documents and Settings\Nanda en Eddie\lsass.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nanda en Eddie\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NANDAE~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Nanda en Eddie\lsass.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 {nl_NL} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5787 bytes

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 13:57:11 29696 ---hs---- C:\Documents and Settings\Nanda en Eddie\lsass.exe
2008-04-30 13:03:36 0 d-------- C:\Program Files\Canon
2008-04-30 13:03:33 0 d-------- C:\Program Files\Common Files\Canon
2008-04-30 12:56:11 0 d-------- C:\WINDOWS\ShellNew
2008-04-30 12:51:26 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Hewlett-Packard
2008-04-30 12:48:25 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-30 12:47:03 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-30 12:46:12 16606 -----n--- C:\WINDOWS\hpomdl01.dat
2008-04-30 12:46:12 19575 --a------ C:\WINDOWS\hpoins01.dat
2008-04-30 12:14:19 89070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-30 12:13:36 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-30 12:13:31 298313 --a------ C:\WINDOWS\system32\gside.exe
2008-04-29 21:50:14 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-29 21:50:09 200765 --a------ C:\WINDOWS\system32\pcntkkdn.exe
2008-04-29 21:42:10 0 d-------- C:\Program Files\Trend Micro
2008-04-29 21:37:18 0 d-------- C:\RVAXO
2008-04-29 21:34:38 809270 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-04-29 21:34:38 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-04-28 22:40:33 0 d-------- C:\Program Files\Panda Security
2008-04-28 22:36:22 0 d-------- C:\Program Files\Lavasoft
2008-04-28 22:36:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-28 22:35:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 22:11:56 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-28 21:31:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-28 21:31:25 0 d-------- C:\Program Files\Spyware Doctor
2008-04-28 21:31:25 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\PC Tools
2008-04-28 18:10:47 0 d---s---- C:\Documents and Settings\Nanda en Eddie\UserData
2008-04-27 21:02:54 0 d-------- C:\Program Files\QuickTime
2008-04-27 20:39:30 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Macromedia
2008-04-27 20:15:05 0 d-------- C:\Program Files\Bonjour
2008-04-27 20:06:18 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-27 19:52:34 0 d-------- C:\Temp
2008-04-17 13:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-17 13:24:33 0 d-------- C:\WINDOWS\Cache
2008-04-15 15:18:48 0 d-------- C:\Documents and Settings\Nanda en Eddie\Application Data\Adobe
2008-04-15 15:17:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-15 15:14:35 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-14 22:58:37 0 d--hs---- C:\WINDOWS\Installer
2008-04-14 22:58:35 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-14 22:58:32 0 dr------- C:\Program Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files
2008-04-14 22:58:32 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Sjablonen
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Onlangs geopend
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\Netwerkprinteromgeving
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Mijn documenten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\Default User\Menu Start
2008-04-14 22:58:04 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Favorieten
2008-04-14 22:58:04 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\Default User\Bureaublad
2008-04-14 22:58:04 0 d--h----- C:\Documents and Settings\All Users\Sjablonen
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Menu Start
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Favorieten
2008-04-14 22:58:04 0 dr------- C:\Documents and Settings\All Users\Documenten
2008-04-14 22:58:04 0 d-------- C:\Documents and Settings\All Users\Bureaublad
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-14 22:57:49 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-14 22:57:44 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-14 22:57:44 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-14 22:57:43 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-14 22:57:43 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-14 22:57:04 0 d-------- C:\Documents and Settings
2008-04-14 22:57:03 0 d--hs---- C:\System Volume Information
2008-04-14 22:48:23 0 d-------- C:\WINDOWS
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\WinSxS
2008-04-14 22:48:23 0 dr------- C:\WINDOWS\Web
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\twain_32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wins
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\wbem
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\usmt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\spool
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\Setup
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ras
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\oobe
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\npp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\IME
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\ias
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\export
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-14 22:48:23 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\3076
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\2052
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1054
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1043
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1042
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1041
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1037
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1033
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1031
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1028
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system32\1025
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\system
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\security
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Resources
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\repair
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Provisioning
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\PeerNet
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\pchealth
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\mui
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msapps
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\msagent
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Media
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\java
2008-04-14 22:48:23 0 d--h----- C:\WINDOWS\inf
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ime
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Help
2008-04-14 22:48:23 0 dr--s---- C:\WINDOWS\Fonts
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\ehome
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Driver Cache
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Debug
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Cursors
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\Config
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\AppPatch
2008-04-14 22:48:23 0 d-------- C:\WINDOWS\addins
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Sjablonen
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\SendTo
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Onlangs geopend
2008-04-14 21:36:06 1572864 --ah----- C:\Documents and Settings\Nanda en Eddie\NTUSER.DAT
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Netwerkprinteromgeving
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\NetHood
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Mijn documenten
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Menu Start
2008-04-14 21:36:06 0 d--h----- C:\Documents and Settings\Nanda en Eddie\Local Settings
2008-04-14 21:36:06 0 dr------- C:\Documents and Settings\Nanda en Eddie\Favorieten
2008-04-14 21:36:06 0 d---s---- C:\Documents and Settings\Nanda en Eddie\Cookies
2008-04-14 21:36:06 0 d-------- C:\Documents and Settings\Nanda en Eddie\Bureaublad
2008-04-14 21:36:06 0 dr-h----- C:\Documents and Settings\Nanda en Eddie\Application Data
2008-04-14 21:19:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-14 21:19:20 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 21:19:19 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 21:19:18 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 21:19:18 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 21:19:18 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 21:19:18 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 21:19:09 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 21:19:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 21:19:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 21:19:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 21:14:27 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 21:14:27 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 21:14:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 21:13:59 0 -rahs---- C:\MSDOS.SYS
2008-04-14 21:13:59 0 -rahs---- C:\IO.SYS
2008-04-14 21:13:59 0 --a------ C:\CONFIG.SYS
2008-04-14 21:13:59 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 21:12:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 21:12:31 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-14 21:12:31 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 21:12:16 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 21:12:11 0 d-------- C:\Program Files\Online Services
2008-04-14 21:11:53 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 21:11:24 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 21:11:24 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-14 21:11:20 0 d-------- C:\WINDOWS\srchasst
2008-04-14 21:11:13 0 d-------- C:\Program Files\Movie Maker
2008-04-14 21:11:06 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 21:10:13 21748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 21:09:54 0 d-------- C:\WINDOWS\Registration
2008-04-14 21:09:39 0 d-------- C:\Program Files\Messenger
2008-04-14 21:09:36 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 21:09:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 21:09:08 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 21:09:07 0 d-------- C:\WINDOWS\system32\Com
2008-04-11 17:46:26 334848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-07 18:17:58 330240 --a------ C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-28 21:32:59 364638 --a------ C:\WINDOWS\system32\perfh013.dat
2008-04-28 21:32:59 53534 --a------ C:\WINDOWS\system32\perfc013.dat
2008-04-14 22:58:04 62 --ahs---- C:\Documents and Settings\Nanda en Eddie\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [22-10-2006 23:24]
"@"=""

"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20-03-2007 16:40]
"LSA Shellu"="C:\Documents and Settings\Nanda en Eddie\lsass.exe" [30-03-2008 10:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 14:00]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Acrobat Snelle start.lnk - C:\WINDOWS\Installer\{AC76BA86-1040-7D00-7760-000000000003}\_SC_Acrobat.exe [27-4-2008 21:00:24]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [15-4-2008 15:17:31]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [23-10-2006 0:01:50]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [9-4-2003 18:21:38]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [9-4-2003 18:11:12]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13-2-2001 10:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOhEwT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

-- End of Deckard's System Scanner: finished at 2008-04-30 15:08:48 ------------

**smeenk** · 30-04-08, 16:11

Open de map avenger en start het programma door op avenger.exe te dubbelklikken.
In het venster Input Script here, kopieer en plak je onderstaande dikgedrukte tekst:

Files to delete:
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll
C:\Documents and Settings\Nanda en Eddie\lsass.exe
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\pcntkkdn.exe

Klik daarna op de knop Execute.
The Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
Na reboot opent een logfile (avenger.txt). Post de inhoud van deze logfile met een nieuw logje van Hijackthis

**Nanda** · 30-04-08, 16:17

avenger log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: folder "C:\Documents and Settings\LocalService\Application Data\NetMon" not found!
Deletion of folder "C:\Documents and Settings\LocalService\Application Data\NetMon" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "C:\WINDOWS\U3RhbQ" not found!
Deletion of folder "C:\WINDOWS\U3RhbQ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\Nanda en Eddie\lsass.exe" deleted successfully.
File "C:\WINDOWS\system32\myss_sb_uninstall.exe" deleted successfully.
File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully.
File "C:\WINDOWS\system32\gside.exe" deleted successfully.
File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully.
File "C:\WINDOWS\system32\pcntkkdn.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

**smeenk** · 30-04-08, 16:21

Je was me te snel af, ik had nog iets gwijzigd

Open de map avenger en start het programma door op avenger.exe te dubbelklikken.
In het venster Input Script here, kopieer en plak je onderstaande dikgedrukte tekst:

Files to delete:
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\{691029fd-63a5-ee8b-c64e-a05c2b7c6392}.dll

Klik daarna op de knop Execute.
The Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
Na reboot opent een logfile (avenger.txt). Post de inhoud van deze logfile met een nieuw logje van Hijackthis

Mededeling

pop up 'virus'

pop up 'virus'

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment