Mededeling

**Nanda** · 30-04-08, 19:48

Rvaxo

---RVAXO.exe Updated: 2008-04-30---first run---
Uninstallers:

Files found:
C:\WINDOWS\system32\ljJBuTlk.dll.vir
C:\WINDOWS\BMdf86ffec.xml
C:\WINDOWS\BMdf86ffec.txt
C:\WINDOWS\system32\UvyccMoq.ini2
C:\WINDOWS\pskt.ini
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\lcntkkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\msnav32.ax
C:\Documents and Settings\Nanda Stam\lsass.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\Prefetch\MROFINU.EXE-27CE430A.pf
C:\WINDOWS\Prefetch\MROFINU1188.EXE-2D6F2449.pf
C:\WINDOWS\system32\pac.txt
C:\Documents and Settings\Nanda Stam\Menu Start\PROGRA~1\Opstarten\Deewoo.lnk
C:\Documents and Settings\Nanda Stam\Menu Start\PROGRA~1\Opstarten\DW_Start.lnk

Folders Found:
C:\Program Files\CPV
C:\Program Files\Svconr
C:\WINDOWS\system32\ve2
C:\WINDOWS\system32\p7
C:\WINDOWS\system32\n4
C:\WINDOWS\system32\pnVes18
C:\Program Files\Network Monitor
C:\Program Files\Temporary
C:\Program Files\Inetget2
C:\Program Files\javacore
C:\Documents and Settings\Nanda Stam\Application Data\SpeedRunner
C:\Temp\1cb
C:\Documents and Settings\LocalService\Application Data\NetMon

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMdf86ffec.txt

--------------RVAXO.exe finished----------------

**Nanda** · 30-04-08, 19:49

Vbg

[04/30/2008, 18:51:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Nanda Stam\Bureaublad\VirtumundoBeGone.exe" )
[04/30/2008, 18:51:45] - Detected System Information:
[04/30/2008, 18:51:45] - Windows Version: 5.1.2600, Service Pack 1
[04/30/2008, 18:51:46] - Current Username: Nanda Stam (Admin)
[04/30/2008, 18:51:46] - Windows is in NORMAL mode.
[04/30/2008, 18:51:46] - Searching for Browser Helper Objects:
[04/30/2008, 18:51:46] - BHO 1: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/30/2008, 18:51:46] - BHO 2: {7265e4e2-310b-414b-a723-87e5cb193d40} ()
[04/30/2008, 18:51:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:51:47] - Checking for HKLM\...\Winlogon\Notify\xbqutqyw
[04/30/2008, 18:51:47] - Key not found: HKLM\...\Winlogon\Notify\xbqutqyw, continuing.
[04/30/2008, 18:51:47] - BHO 3: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} ()
[04/30/2008, 18:51:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:51:47] - Checking for HKLM\...\Winlogon\Notify\ljJBuTlk
[04/30/2008, 18:51:47] - Found: HKLM\...\Winlogon\Notify\ljJBuTlk - This is probably Virtumundo.
[04/30/2008, 18:51:48] - Assigning {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} MSEvents Object
[04/30/2008, 18:51:48] - BHO list has been changed! Starting over...
[04/30/2008, 18:51:48] - BHO 1: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/30/2008, 18:51:48] - BHO 2: {7265e4e2-310b-414b-a723-87e5cb193d40} ()
[04/30/2008, 18:51:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:51:48] - Checking for HKLM\...\Winlogon\Notify\xbqutqyw
[04/30/2008, 18:51:48] - Key not found: HKLM\...\Winlogon\Notify\xbqutqyw, continuing.
[04/30/2008, 18:51:49] - BHO 3: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} (MSEvents Object)
[04/30/2008, 18:51:49] - ALERT: Found MSEvents Object!
[04/30/2008, 18:51:49] - BHO 4: {EEBDC44B-70E0-4374-921D-4EC823CFAEE3} ()
[04/30/2008, 18:51:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:51:49] - Checking for HKLM\...\Winlogon\Notify\qoMccyvU
[04/30/2008, 18:51:49] - Key not found: HKLM\...\Winlogon\Notify\qoMccyvU, continuing.
[04/30/2008, 18:51:49] - Finished Searching Browser Helper Objects
[04/30/2008, 18:51:49] - *** Detected MSEvents Object
[04/30/2008, 18:51:50] - Trying to remove MSEvents Object...
[04/30/2008, 18:51:51] - Terminating Process: IEXPLORE.EXE
[04/30/2008, 18:51:54] - Terminating Process: RUNDLL32.EXE
[04/30/2008, 18:51:55] - Disabling Automatic Shell Restart
[04/30/2008, 18:51:55] - Terminating Process: EXPLORER.EXE
[04/30/2008, 18:51:58] - Suspending the NT Session Manager System Service
[04/30/2008, 18:51:58] - Terminating Windows NT Logon/Logoff Manager
[04/30/2008, 18:51:59] - Re-enabling Automatic Shell Restart
[04/30/2008, 18:51:59] - File to disable: C:\WINDOWS\System32\ljJBuTlk.dll
[04/30/2008, 18:51:59] - Renaming C:\WINDOWS\System32\ljJBuTlk.dll -> C:\WINDOWS\System32\ljJBuTlk.dll.vir
[04/30/2008, 18:52:00] - File successfully renamed!
[04/30/2008, 18:52:00] - Removing HKLM\...\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/30/2008, 18:52:00] - Removing HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/30/2008, 18:52:00] - Adding Kill Bit for ActiveX for GUID: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/30/2008, 18:52:01] - Deleting ATLEvents/MSEvents Registry entries
[04/30/2008, 18:52:01] - Removing HKLM\...\Winlogon\Notify\ljJBuTlk
[04/30/2008, 18:52:01] - Searching for Browser Helper Objects:
[04/30/2008, 18:52:01] - BHO 1: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/30/2008, 18:52:01] - BHO 2: {7265e4e2-310b-414b-a723-87e5cb193d40} ()
[04/30/2008, 18:52:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:52:02] - Checking for HKLM\...\Winlogon\Notify\xbqutqyw
[04/30/2008, 18:52:02] - Key not found: HKLM\...\Winlogon\Notify\xbqutqyw, continuing.
[04/30/2008, 18:52:02] - BHO 3: {EEBDC44B-70E0-4374-921D-4EC823CFAEE3} ()
[04/30/2008, 18:52:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 18:52:02] - Checking for HKLM\...\Winlogon\Notify\qoMccyvU
[04/30/2008, 18:52:02] - Key not found: HKLM\...\Winlogon\Notify\qoMccyvU, continuing.
[04/30/2008, 18:52:02] - Finished Searching Browser Helper Objects
[04/30/2008, 18:52:02] - Finishing up...
[04/30/2008, 18:52:03] - A restart is needed.
[04/30/2008, 18:52:05] - Attempting to Restart via STOP error (Blue Screen!)

[04/30/2008, 19:10:34] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Nanda Stam\Bureaublad\VirtumundoBeGone.exe" )
[04/30/2008, 19:10:37] - Detected System Information:
[04/30/2008, 19:10:38] - Windows Version: 5.1.2600, Service Pack 1
[04/30/2008, 19:10:38] - Current Username: Nanda Stam (Admin)
[04/30/2008, 19:10:38] - Windows is in NORMAL mode.
[04/30/2008, 19:10:38] - Searching for Browser Helper Objects:
[04/30/2008, 19:10:38] - BHO 1: {15421B84-3488-49A7-AD18-CBF84A3EFAF6} (BHO Class)
[04/30/2008, 19:10:38] - BHO 2: {1F79A5E2-A27D-49CD-AC19-B5DD545FA9E7} ()
[04/30/2008, 19:10:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 19:10:39] - Checking for HKLM\...\Winlogon\Notify\qoMccyvU
[04/30/2008, 19:10:39] - Key not found: HKLM\...\Winlogon\Notify\qoMccyvU, continuing.
[04/30/2008, 19:10:39] - BHO 3: {7265e4e2-310b-414b-a723-87e5cb193d40} ()
[04/30/2008, 19:10:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/30/2008, 19:10:40] - Checking for HKLM\...\Winlogon\Notify\xbqutqyw
[04/30/2008, 19:10:40] - Key not found: HKLM\...\Winlogon\Notify\xbqutqyw, continuing.
[04/30/2008, 19:10:40] - Finished Searching Browser Helper Objects
[04/30/2008, 19:10:40] - Finishing up...
[04/30/2008, 19:10:40] - Nothing found! Exiting...

**smeenk** · 30-04-08, 21:02

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

@ECHO OFF
IF EXIST log.txt DEL log.txt
sc stop cmdService
sc delete cmdService
RD /S /Q C:\WINDOWS\TmFuZGE
RD /S /Q C:\WINDOWS\sstem~1
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\TmFuZGE\command.exe
C:\WINDOWS\System32\winpfz33.sys
C:\WINDOWS\System32\lcntkkdn.exe
C:\WINDOWS\System32\UvyccMoq.ini2
"C:\Documents and Settings\Nanda Stam\Menu Start\PROGRA~1\Opstarten\Deewoo.lnk"
"C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe"
C:\WINDOWS\System32\nyfrkvvt.dll
C:\WINDOWS\System32\xbqutqyw.dll
C:\WINDOWS\System32\axsphkyr.dll
C:\WINDOWS\System32\iuownmad.dll
C:\WINDOWS\System32\bmisxuaq.dll
C:\WINDOWS\System32\jjwnw64o.exe
C:\WINDOWS\System32\qoMccyvU.dll
C:\WINDOWS\System32\g15.exe
C:\WINDOWS\b157.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\TmFuZGE
C:\WINDOWS\sstem~1) DO (
DEL /Q %%gNUCIA
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
REN %%g *NUCIA
IF EXIST %%gNUCIA (
ECHO renamed to %%gNUCIA>>log.txt)
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

**Nanda** · 30-04-08, 21:16

del.bat log

Deleting files
renamed to C:\WINDOWS\TmFuZGE\command.exeNUCIA
C:\WINDOWS\TmFuZGE\command.exe deleted
C:\WINDOWS\System32\winpfz33.sys deleted
renamed to C:\WINDOWS\System32\lcntkkdn.exeNUCIA
C:\WINDOWS\System32\lcntkkdn.exe deleted
C:\WINDOWS\System32\UvyccMoq.ini2 deleted
"C:\Documents and Settings\Nanda Stam\Menu Start\PROGRA~1\Opstarten\Deewoo.lnk" deleted
"C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe" deleted
renamed to C:\WINDOWS\System32\nyfrkvvt.dllNUCIA
C:\WINDOWS\System32\nyfrkvvt.dll deleted
renamed to C:\WINDOWS\System32\xbqutqyw.dllNUCIA
C:\WINDOWS\System32\xbqutqyw.dll deleted
C:\WINDOWS\System32\axsphkyr.dll deleted
C:\WINDOWS\System32\iuownmad.dll deleted
C:\WINDOWS\System32\bmisxuaq.dll deleted
C:\WINDOWS\System32\jjwnw64o.exe deleted
C:\WINDOWS\System32\qoMccyvU.dll not deleted
C:\WINDOWS\System32\g15.exe deleted
C:\WINDOWS\b157.exe deleted
C:\WINDOWS\b152.exe deleted
C:\WINDOWS\TmFuZGE not deleted
C:\WINDOWS\sstem~1 not deleted

**smeenk** · 30-04-08, 21:19

Herstart even je computer.

Dubbelklik na de herstart opnieuw op del.bat en post het nieuwe logje.

Download dit bestand: zoek.exe
Dubbelklik het, na een tijdje opent er een logje.
Post de inhoud van dit logje in je volgende bericht

**Nanda** · 30-04-08, 21:48

del.bat

Deleting files
C:\WINDOWS\TmFuZGE\command.exe not found
C:\WINDOWS\System32\winpfz33.sys not found
C:\WINDOWS\System32\lcntkkdn.exe not found
C:\WINDOWS\System32\UvyccMoq.ini2 not found
"C:\Documents and Settings\Nanda Stam\Menu Start\PROGRA~1\Opstarten\Deewoo.lnk" not found
"C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe" not found
C:\WINDOWS\System32\nyfrkvvt.dll not found
C:\WINDOWS\System32\xbqutqyw.dll not found
C:\WINDOWS\System32\axsphkyr.dll not found
C:\WINDOWS\System32\iuownmad.dll not found
C:\WINDOWS\System32\bmisxuaq.dll not found
C:\WINDOWS\System32\jjwnw64o.exe not found
C:\WINDOWS\System32\qoMccyvU.dll not deleted
C:\WINDOWS\System32\g15.exe not found
C:\WINDOWS\b157.exe not found
C:\WINDOWS\b152.exe not found
C:\WINDOWS\TmFuZGE not found
C:\WINDOWS\sstem~1 not found

**Nanda** · 30-04-08, 21:49

zoek log

======C:\WINDOWS====
----a-w 0 2008-04-30 19:45:17 C:\WINDOWS\0.log
----a-w 3,850 2008-04-30 18:53:46 C:\WINDOWS\BMdf86ffec.txt
--s-a-w 2,048 2008-04-30 19:44:18 C:\WINDOWS\bootstat.dat
----a-w 228 2008-04-30 18:46:47 C:\WINDOWS\cookies.ini
----a-w 32,634 2008-04-30 17:12:42 C:\WINDOWS\SchedLgU.Txt
----a-w 808,470 2008-04-30 17:10:39 C:\WINDOWS\setupapi.log
----a-w 157 2008-04-30 19:44:55 C:\WINDOWS\wiadebug.log
----a-w 49 2008-04-30 19:44:48 C:\WINDOWS\wiaservc.log
----a-w 1,072,517 2008-04-30 19:44:52 C:\WINDOWS\WindowsUpdate.log

Entries: 9 (8)
Directories: 0 Files: 9
Bytes: 1,919,953 Blocks: 3,754
======C:\WINDOWS\system32=====
----a-w 687,592 2008-04-30 17:21:12 C:\WINDOWS\System32\atmtd.dll._
----a-w 15 2008-04-30 18:48:35 C:\WINDOWS\System32\clkcnt.txt
--sh--w 1,482,698 2008-04-30 10:22:20 C:\WINDOWS\System32\elylmcsv.ini
----a-w 128 2008-04-30 17:35:05 C:\WINDOWS\System32\msnav32.ax
----a-w 40,326 2008-03-30 08:36:11 C:\WINDOWS\System32\perfc009.dat
----a-w 53,850 2008-03-30 08:36:11 C:\WINDOWS\System32\perfc013.dat
----a-w 311,938 2008-03-30 08:36:11 C:\WINDOWS\System32\perfh009.dat
----a-w 364,882 2008-03-30 08:36:11 C:\WINDOWS\System32\perfh013.dat
----a-w 776,622 2008-03-30 08:36:10 C:\WINDOWS\System32\PerfStringBackup.INI
----a-w 281,600 2008-04-27 18:03:22 C:\WINDOWS\System32\qoMccyvU.dll
----a-w 811,298 2008-04-30 08:10:56 C:\WINDOWS\System32\RVAXO.bat
----a-w 49,175 2008-04-30 17:24:46 C:\WINDOWS\System32\rwwnw64d.exeRVAXO
--sh--w 1,483,197 2008-04-30 18:54:03 C:\WINDOWS\System32\tvvkrfyn.ini
--sha-w 203,748 2008-04-30 19:46:13 C:\WINDOWS\System32\UvyccMoq.ini
----a-w 13,646 2008-04-30 10:15:38 C:\WINDOWS\System32\wpa.dbl
----a-w 21 2008-04-30 17:35:08 C:\WINDOWS\System32\zxdnt3d.cfg

Entries: 16 (13)
Directories: 0 Files: 16
Bytes: 6,560,736 Blocks: 12,821
======C:\WINDOWS\system32\drivers=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
----a-w 1,514 2008-04-30 17:17:48 C:\firstrun5.log
--sha-w 352,321,536 2008-04-30 19:44:13 C:\pagefile.sys
----a-w 1,698 2008-04-30 17:28:31 C:\RVAXO-results.log
----a-w 1,167 2008-04-30 17:29:38 C:\RVAXO-Vfind.log

Entries: 4 (3)
Directories: 0 Files: 4
Bytes: 352,325,915 Blocks: 688,138
======C:\Documents and Settings\Nanda Stam\Application Data======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======C:\Temp======
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======C:\Documents and Settings\Nanda Stam======
----a-w 4,718,592 2008-04-30 19:43:14 C:\Documents and Settings\Nanda Stam\ntuser.dat
---ha-w 57,344 2008-04-30 19:46:18 C:\Documents and Settings\Nanda Stam\ntuser.dat.LOG
--sh--w 190 2008-04-30 19:43:14 C:\Documents and Settings\Nanda Stam\ntuser.ini

Entries: 3 (1)
Directories: 0 Files: 3
Bytes: 4,776,126 Blocks: 9,329
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

**smeenk** · 30-04-08, 22:40

Download The Avenger en pak het programma uit op je bureaublad.
Open de map avenger en start het programma door op avenger.exe te dubbelklikken.
In het venster Input Script here, kopieer en plak je onderstaande dikgedrukte tekst:

Files to delete:
C:\WINDOWS\System32\qoMccyvU.dll

Klik daarna op de knop Execute.
The Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
Na reboot opent een logfile (avenger.txt). Post de inhoud van deze logfile.

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\BMdf86ffec.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\System32\atmtd.dll._
C:\WINDOWS\System32\clkcnt.txt
C:\WINDOWS\System32\elylmcsv.ini
C:\WINDOWS\System32\msnav32.ax
C:\WINDOWS\System32\qoMccyvU.dll
C:\WINDOWS\System32\rwwnw64d.exeRVAXO
C:\WINDOWS\System32\tvvkrfyn.ini
C:\WINDOWS\System32\UvyccMoq.ini
C:\WINDOWS\System32\zxdnt3d.cfg) DO (
DEL /Q %%gNUCIA
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
REN %%g *NUCIA
IF EXIST %%gNUCIA (
ECHO renamed to %%gNUCIA>>log.txt)
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

Post nu ook een nieuw logje van Hijackthis

**Nanda** · 30-04-08, 23:09

del.bat geeft geen log, hier wel de hijack

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:07:51, on 30-4-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\TSKS~1\userinit.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nanda Stam\Bureaublad\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV8.dll (file missing)
O2 - BHO: (no name) - {49672C9A-1414-4404-A90C-B88CB7C91A60} - C:\WINDOWS\System32\qoMccyvU.dll (file missing)
O2 - BHO: {04d391bc-5e78-327a-b414-b0132e4e5627} - {7265e4e2-310b-414b-a723-87e5cb193d40} - C:\WINDOWS\System32\xbqutqyw.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [{5C-CC-CD-DF-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [dcb5cc70] rundll32.exe "C:\WINDOWS\System32\nyfrkvvt.dll",b
O4 - HKLM\..\Run: [BMdf86ffec] Rundll32.exe "C:\WINDOWS\System32\axsphkyr.dll",s
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\lcntkkdn.exe DWram
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Urrh] "C:\WINDOWS\System32\TSKS~1\userinit.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 4565 bytes

**smeenk** · 30-04-08, 23:16

Start Hijackthis en vink alleen de volgende regels aan:
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV8.dll (file missing)
O2 - BHO: (no name) - {49672C9A-1414-4404-A90C-B88CB7C91A60} - C:\WINDOWS\System32\qoMccyvU.dll (file missing)
O2 - BHO: {04d391bc-5e78-327a-b414-b0132e4e5627} - {7265e4e2-310b-414b-a723-87e5cb193d40} - C:\WINDOWS\System32\xbqutqyw.dll (file missing)
O4 - HKLM\..\Run: [{5C-CC-CD-DF-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [dcb5cc70] rundll32.exe "C:\WINDOWS\System32\nyfrkvvt.dll",b
O4 - HKLM\..\Run: [BMdf86ffec] Rundll32.exe "C:\WINDOWS\System32\axsphkyr.dll",s
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\lcntkkdn.exe DWram
O4 - HKCU\..\Run: [Urrh] "C:\WINDOWS\System32\TSKS~1\userinit.exe" -vt yazb
Sluit alle openstaande vensters(behalve Hijackthis) en klik op de knop "Fix checked".

Herstart de computer.

Post na de herstart een nieuw logje van Hijackthis en vertel of er nog problemen zijn

**Nanda** · 30-04-08, 23:26

log... geen popup meer gekregen sinds een half uur

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:25:11, on 30-4-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Nanda Stam\Bureaublad\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 3771 bytes

**smeenk** · 30-04-08, 23:28

Deze map mag je nog verwijderen:
C:\avenger

1) Open een kladblokbestand.
2) Kopieer onderstaande code in dit kladblokbestand.
3) Ga naar Bestand - Opslaan als.
-Bij "Opslaan in" kies je: Bureaublad
-Bij "Bestandsnaam" zet je: fix.reg
-Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
-Klik op de knop Opslaan.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

4) Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Dan denk ik dat alles weer OK is

**Nanda** · 30-04-08, 23:40

Super blij

hoi hoi,

Het lijkt opgelost, nogmaals super bedankt voor je tijd en hulp!!!

**smeenk** · 30-04-08, 23:45

Graag gedaan hoor

Nog 2 dingetjes:

1. Je Windows is niet up to date, installeer SP2 en daarna alle beschikbare beveiligingsupdates.
Een Windows die niet up to date is zal namelijk veel sneller opnieuw geïnfecteerd raken.
Lees hier meer: http://www.microsoft.com/netherlands...2/default.aspx

2. Je hebt geen antivirus geïnstalleerd, deze acht ik noodzakelijk als je met je computer het internet op wilt.
Kijk eens naar deze link:

Nucia Security Forums

http://www.nucia.eu/forum/showthread.php?t=55

Daar staan ook enkele gratis virusscanners

Mededeling

spam pop ups

spam pop ups

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment