Mededeling

**smeenk** · 13-05-08, 11:12

Download Malwarebytes' Anti-Malware via hier of hier.

Dubbelklik mbam-setup.exe om het programma te installeren.

Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Launch Malwarebytes' Anti-Malware, Klik daarna op "finish".
Indien een update gevonden werd, zal het die downloaden en de laatste versie installeren.
Wanneer het programma volledig up to date is, selecteer "Perform Quick Scan", daarna klik Scan.
Het scannen kan een tijdje duren, dus wees geduldig.
Wanneer de scan voltooid is, klik OK, daarna "Show Results" om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik: Remove Selected.
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie extra nota onderaan)
De log wordt automatisch bewaard door MBAM die je kan zien door de "Logs" tab te klikken in MBAM.
Kopieer en plak de resultaten van de log in je volgend antwoord, samen met een nieuw HijackThislog.

Extra opmerking:
Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de Computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

**Keye** · 13-05-08, 12:04

Je bent een KANJER

Google zoekt weer als een speer !

Dank je wel !!!

Malwarebytes' Anti-Malware 1.12
Database versie: 744

Scan type: Snelle Scan
Objecten gescand: 43049
Verstreken tijd: 5 minute(s), 25 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 3
Registersleutels geïnfecteerd: 12
Registerwaarden geïnfecteerd: 3
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 7

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\cssachog.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mlJBRIay.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqRLefF.dll (Trojan.Vundo) -> Unloaded module successfully.

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{260dcb19-8e7b-4d53-b23b-5dba56c6cace} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{260dcb19-8e7b-4d53-b23b-5dba56c6cace} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqrleff (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0860c769 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM0b53f4f5 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e243a8e7-6244-49e0-a361-22dbf30fd46c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljbriay -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljbriay -> Quarantined and deleted successfully.

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\WINDOWS\system32\cssachog.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gohcassc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBRIay.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yaIRBJlm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaIRBJlm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pyjxhhil.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\urqRLefF.dll (Trojan.Vundo) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:24, on 13-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {0EBBD3C2-FCFD-46FF-BAE6-72FA961DF321} - C:\WINDOWS\system32\qoMghigg.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {b59b6647-91e9-1e88-9da4-123bc0a59e99} - {99e95a0c-b321-4ad9-88e1-9e197466b95b} - C:\WINDOWS\system32\eycetjuo.dll
O2 - BHO: (no name) - {ED77D2B9-2C51-4428-AC9C-1F391101994E} - C:\WINDOWS\system32\yaywxvUm.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8123 bytes

**smeenk** · 13-05-08, 12:10

Mooi zo, maar we zijn er nog niet helemaal

Start Hijackthis en vink alleen de volgende regels aan:
O2 - BHO: (no name) - {0EBBD3C2-FCFD-46FF-BAE6-72FA961DF321} - C:\WINDOWS\system32\qoMghigg.dll (file missing)
O2 - BHO: {b59b6647-91e9-1e88-9da4-123bc0a59e99} - {99e95a0c-b321-4ad9-88e1-9e197466b95b} - C:\WINDOWS\system32\eycetjuo.dll
O2 - BHO: (no name) - {ED77D2B9-2C51-4428-AC9C-1F391101994E} - C:\WINDOWS\system32\yaywxvUm.dll (file missing)
Sluit alle openstaande vensters(behalve Hijackthis) en klik op "Fix checked".

Download: RVAXO.exe

Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
Start de computer in veilige modus.
Open nu de map RVAXO op je bureaublad en dubbeklik RunMe.cmd
Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
Mogelijk start er ook een uninstaller van een rogue scanner op, sluit deze niet af maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.
Daarna zal je PC herstarten, laat hem nu weer in normale modus starten. Na de herstart opent het cmd-venster van RVAXO opnieuw.
Laat deze lopen en wacht tot er een logfile opent: C:\RVAXO-results.log
Herstart je computer niet vanzelf, of start de tool niet na de reboot, doe dit dan handmatig.
Post de inhoud van de logfile in je volgende bericht.

Post ook de inhoud van het 2e logje: C:\RVAXO-Vfind.log

**Keye** · 13-05-08, 13:03

Heb handmatig de PC en de tool moeten opstarten en kan alleen dit logje
vinden ?

---RVAXO.exe Updated: 2008-05-10---first run---
Uninstallers:
---RVAXO.exe Updated: 2008-05-10---first run---
Uninstallers:

**smeenk** · 13-05-08, 13:08

Hij loopt blijkbaar niet door?

Download dit bestand: zoek.exe
Dubbelklik het, na een tijdje opent er een logje.
Post de inhoud van dit logje in je volgende bericht

**Keye** · 13-05-08, 13:14

======C:\WINDOWS====
----a-w 0 2008-05-13 10:55:13 C:\WINDOWS\0.log
----a-w 18,656 2008-05-13 09:17:46 C:\WINDOWS\BM0b53f4f5.txt
----a-w 109,807 2008-05-13 09:07:16 C:\WINDOWS\BM0b53f4f5.xml
--s-a-w 2,048 2008-05-13 10:54:52 C:\WINDOWS\bootstat.dat
----a-w 25 2008-05-10 07:06:50 C:\WINDOWS\cdplayer.ini
----a-w 274,112 2008-05-02 06:56:26 C:\WINDOWS\comsetup.log
----a-w 93 2008-05-11 16:10:19 C:\WINDOWS\cookies.ini
----a-w 161,722 2008-03-20 17:43:28 C:\WINDOWS\DirectX.log
----a-w 94 2008-05-10 16:25:56 C:\WINDOWS\family.ini
----a-w 1,073,611 2008-05-02 06:56:26 C:\WINDOWS\FaxSetup.log
----a-w 48 2008-05-10 15:41:28 C:\WINDOWS\FileNamesinQueue.ini
---ha-w 24 2008-04-16 17:45:03 C:\WINDOWS\hpcfgjmp.zpi
----a-w 8,676 2008-05-01 07:57:53 C:\WINDOWS\IDNMitigationAPIs.log
----a-w 47,966 2008-05-01 07:59:47 C:\WINDOWS\ie7.log
----a-w 33,537 2008-05-01 08:01:16 C:\WINDOWS\ie7_main.log
----a-w 169,306 2008-05-02 06:56:27 C:\WINDOWS\iis6.log
----a-w 1,355 2008-05-01 08:01:14 C:\WINDOWS\imsins.BAK
----a-w 1,355 2008-05-02 06:56:26 C:\WINDOWS\imsins.log
----a-w 10,654 2008-05-01 07:54:36 C:\WINDOWS\KB904942.log
----a-w 4,176 2008-05-01 07:54:45 C:\WINDOWS\KB914440.log
----a-w 5,860 2008-05-01 07:56:08 C:\WINDOWS\KB915865.log
----a-w 10,857 2008-05-02 06:56:26 C:\WINDOWS\KB938127-IE7.log
----a-w 12,748 2008-04-09 11:43:32 C:\WINDOWS\KB941693.log
----a-w 13,583 2008-04-09 11:42:20 C:\WINDOWS\KB944338.log
----a-w 59,181 2008-05-01 08:00:37 C:\WINDOWS\KB944533-IE7.log
----a-w 12,019 2008-04-09 11:42:13 C:\WINDOWS\KB945553.log
----a-w 45,447 2008-05-01 08:01:14 C:\WINDOWS\KB947864-IE7.log
----a-w 21,988 2008-04-09 11:43:53 C:\WINDOWS\KB947864.log
----a-w 12,553 2008-04-09 11:43:25 C:\WINDOWS\KB948590.log
----a-w 13,415 2008-04-09 11:43:59 C:\WINDOWS\KB948881.log
----a-w 53,945 2008-05-02 06:56:26 C:\WINDOWS\msgsocm.log
----a-w 116 2008-05-12 18:42:46 C:\WINDOWS\NeroDigital.ini
----a-w 8,365 2008-05-01 07:57:05 C:\WINDOWS\NLSDownlevelMapping.log
----a-w 371 2008-03-17 17:10:21 C:\WINDOWS\nsw.log
----a-w 165,545 2008-05-02 06:56:26 C:\WINDOWS\ntdtcsetup.log
----a-w 535,275 2008-05-02 06:56:26 C:\WINDOWS\ocgen.log
----a-w 39,766 2008-05-02 06:56:26 C:\WINDOWS\ocmsn.log
----a-w 53,248 2008-05-10 14:18:26 C:\WINDOWS\PalmDevC.dll
----a-w 22 2008-05-13 09:07:12 C:\WINDOWS\pskt.ini
----a-w 0 2008-05-10 16:17:09 C:\WINDOWS\QuickInstall.INI
----a-w 0 2008-05-10 14:37:33 C:\WINDOWS\QUICKI~1.INI
----a-w 32,620 2008-05-13 10:53:57 C:\WINDOWS\SchedLgU.Txt
----a-w 196,806 2008-05-12 09:25:00 C:\WINDOWS\setupact.log
----a-w 555,688 2008-05-11 09:06:32 C:\WINDOWS\setupapi.log
----a-w 212 2008-05-01 08:58:55 C:\WINDOWS\SIERRA.INI
----a-w 37,357 2008-05-01 08:04:36 C:\WINDOWS\spupdsvc.log
----a-w 227 2008-05-13 10:46:13 C:\WINDOWS\system.ini
----a-w 154 2008-05-01 08:59:02 C:\WINDOWS\tmpcpyis.bat
----a-w 122 2008-05-01 08:59:02 C:\WINDOWS\tmpdelis.bat
----a-w 415,845 2008-05-02 06:56:26 C:\WINDOWS\tsoc.log
----a-w 120,646 2008-05-01 08:01:03 C:\WINDOWS\updspapi.log
----a-w 159 2008-05-13 10:55:11 C:\WINDOWS\wiadebug.log
----a-w 49 2008-05-13 10:55:10 C:\WINDOWS\wiaservc.log
----a-w 785 2008-05-13 10:46:13 C:\WINDOWS\win.ini
----a-w 1,741,081 2008-05-13 10:53:44 C:\WINDOWS\WindowsUpdate.log
----a-w 3,053 2008-05-13 02:26:42 C:\WINDOWS\wininit.ini
----a-w 26 2008-05-01 08:59:02 C:\WINDOWS\winstart.bat

Entries: 57 (55)
Directories: 0 Files: 57
Bytes: 6,086,399 Blocks: 11,915
======C:\WINDOWS\system32=====
----a-w 0 2008-05-13 09:11:08 C:\WINDOWS\System32\clkcnt.txt
----a-w 2,888 2008-04-16 17:05:39 C:\WINDOWS\System32\CONFIG.NT
------w 116,736 2008-05-13 09:43:24 C:\WINDOWS\System32\cssachog.dll
----a-w 133,120 2008-05-12 07:36:59 C:\WINDOWS\System32\eycetjuo.dll
---ha-w 19 2008-04-16 17:06:11 C:\WINDOWS\System32\ezirioMeD4
----a-w 202,528 2008-04-09 12:56:58 C:\WINDOWS\System32\FNTCACHE.DAT
--sha-w 226,793 2008-05-12 20:37:25 C:\WINDOWS\System32\ggihgMoq.ini
--sha-w 226,793 2008-05-12 20:36:19 C:\WINDOWS\System32\ggihgMoq.ini2
----a-w 383 2008-04-16 17:05:39 C:\WINDOWS\System32\haspdos.sys
----a-w 6,656 2008-04-16 17:05:39 C:\WINDOWS\System32\haspvdd.dll
----a-w 46 2008-05-13 02:33:28 C:\WINDOWS\System32\imon1.dat
----a-w 125,440 2008-05-11 07:32:01 C:\WINDOWS\System32\jnexbcas.dll
----a-w 143 2008-05-13 09:44:27 C:\WINDOWS\System32\mcrh.tmp
--sh--w 1,505,172 2008-05-12 04:34:41 C:\WINDOWS\System32\mfxonwqj.ini
------w 370,176 2008-05-13 09:43:25 C:\WINDOWS\System32\mlJBRIay.dll
----a-w 19,836,024 2008-04-06 05:56:20 C:\WINDOWS\System32\MRT.exe
----a-w 134,656 2008-05-11 07:41:01 C:\WINDOWS\System32\mtapegkd.dll
--sha-w 500,121 2008-05-13 02:33:16 C:\WINDOWS\System32\mUvxwyay.ini
--sha-w 500,121 2008-05-13 02:32:14 C:\WINDOWS\System32\mUvxwyay.ini2
----a-w 114,688 2008-03-20 17:42:20 C:\WINDOWS\System32\OpenAL32.dll
----a-w 72,152 2008-03-30 08:04:39 C:\WINDOWS\System32\perfc009.dat
----a-w 92,052 2008-03-30 08:04:39 C:\WINDOWS\System32\perfc013.dat
----a-w 444,528 2008-03-30 08:04:39 C:\WINDOWS\System32\perfh009.dat
----a-w 512,410 2008-03-30 08:04:39 C:\WINDOWS\System32\perfh013.dat
----a-w 1,136,134 2008-03-30 08:04:38 C:\WINDOWS\System32\PerfStringBackup.INI
------w 126,976 2008-05-13 09:43:25 C:\WINDOWS\System32\pyjxhhil.dll
----a-w 818,420 2008-05-10 10:18:24 C:\WINDOWS\System32\RVAXO.bat
------w 57,856 2008-05-13 09:43:25 C:\WINDOWS\System32\urqRLefF.dll
----a-w 1,845,376 2008-03-20 08:10:47 C:\WINDOWS\System32\win32k.sys
----a-w 13,676 2008-05-11 15:03:15 C:\WINDOWS\System32\wpa.dbl
----a-w 409,600 2008-03-20 17:42:20 C:\WINDOWS\System32\wrap_oal.dll
--sha-w 2,724 2008-05-13 09:43:42 C:\WINDOWS\System32\yaIRBJlm.ini
--sha-w 2,724 2008-05-13 09:43:53 C:\WINDOWS\System32\yaIRBJlm.ini2

Entries: 33 (25)
Directories: 0 Files: 33
Bytes: 29,537,131 Blocks: 57,700
======C:\WINDOWS\system32\drivers=====
----a-w 457,216 2008-04-16 17:05:40 C:\WINDOWS\System32\drivers\hardlock.sys
----a-w 47,616 2008-04-16 17:05:39 C:\WINDOWS\System32\drivers\Haspnt.sys
----a-w 15,864 2008-05-05 18:46:32 C:\WINDOWS\System32\drivers\mbam.sys
----a-w 27,048 2008-05-05 18:46:36 C:\WINDOWS\System32\drivers\mbamcatchme.sys

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 547,744 Blocks: 1,070
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
--sha-r 211 2008-05-13 10:46:13 C:\boot.ini
----a-w 13,225 2008-04-19 17:23:01 C:\caisslog.txt
----a-w 127 2008-03-27 22:56:34 C:\CountCyclesWMVDecLog.txt
----a-w 51,511,296 2008-04-11 10:59:19 C:\dump_dvd.vob
--sha-w 1,610,612,736 2008-05-13 10:54:48 C:\pagefile.sys
----a-w 160 2008-05-13 10:55:14 C:\RVAXO-results.log

Entries: 6 (4)
Directories: 0 Files: 6
Bytes: 1,662,137,755 Blocks: 3,246,365
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
======C:\Temp======
----a-w 22,477 2008-05-11 10:07:38 C:\Temp\debug.txt

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 22,477 Blocks: 44
----a-w 125 2008-05-10 22:10:04 C:\Documents and Settings\Karen & Joop\default.pls
---ha-w 6,029,312 2008-05-13 10:53:54 C:\Documents and Settings\Karen & Joop\NTUSER.DAT
---ha-w 40,960 2008-05-13 11:13:37 C:\Documents and Settings\Karen & Joop\ntuser.dat.LOG
--sh--w 188 2008-05-13 10:53:54 C:\Documents and Settings\Karen & Joop\ntuser.ini

Entries: 4 (1)
Directories: 0 Files: 4
Bytes: 6,070,585 Blocks: 11,858
======C:\WINDOWS\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============

**smeenk** · 13-05-08, 13:26

Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\WINDOWS\BM0b53f4f5.txt
C:\WINDOWS\BM0b53f4f5.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\tmpcpyis.bat
C:\WINDOWS\tmpdelis.bat
C:\WINDOWS\wininit.ini
C:\WINDOWS\System32\clkcnt.txt
C:\WINDOWS\System32\cssachog.dll
C:\WINDOWS\System32\eycetjuo.dll
C:\WINDOWS\System32\ezirioMeD4
C:\WINDOWS\System32\ggihgMoq.ini
C:\WINDOWS\System32\ggihgMoq.ini2
C:\WINDOWS\System32\jnexbcas.dll
C:\WINDOWS\System32\mcrh.tmp
C:\WINDOWS\System32\mfxonwqj.ini
C:\WINDOWS\System32\mlJBRIay.dll
C:\WINDOWS\System32\mtapegkd.dll
C:\WINDOWS\System32\mUvxwyay.ini
C:\WINDOWS\System32\mUvxwyay.ini2
C:\WINDOWS\System32\pyjxhhil.dll
C:\WINDOWS\System32\urqRLefF.dll
C:\WINDOWS\System32\yaIRBJlm.ini
C:\WINDOWS\System32\yaIRBJlm.ini2) DO (
DEL /Q %%gNUCIA
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
REN %%g *NUCIA
IF EXIST %%gNUCIA (
ECHO renamed to %%gNUCIA>>log.txt)
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op del.bat en post de inhoud van de logfile die opent.

**Keye** · 13-05-08, 13:30

Deleting files
C:\WINDOWS\BM0b53f4f5.txt deleted
C:\WINDOWS\BM0b53f4f5.xml deleted
C:\WINDOWS\cookies.ini deleted
C:\WINDOWS\pskt.ini deleted
C:\WINDOWS\tmpcpyis.bat deleted
C:\WINDOWS\tmpdelis.bat deleted
C:\WINDOWS\wininit.ini deleted
C:\WINDOWS\System32\clkcnt.txt deleted
C:\WINDOWS\System32\cssachog.dll deleted
C:\WINDOWS\System32\eycetjuo.dll deleted
C:\WINDOWS\System32\ezirioMeD4 deleted
C:\WINDOWS\System32\ggihgMoq.ini deleted
C:\WINDOWS\System32\ggihgMoq.ini2 deleted
C:\WINDOWS\System32\jnexbcas.dll deleted
C:\WINDOWS\System32\mcrh.tmp deleted
C:\WINDOWS\System32\mfxonwqj.ini deleted
C:\WINDOWS\System32\mlJBRIay.dll deleted
C:\WINDOWS\System32\mtapegkd.dll deleted
C:\WINDOWS\System32\mUvxwyay.ini deleted
C:\WINDOWS\System32\mUvxwyay.ini2 deleted
C:\WINDOWS\System32\pyjxhhil.dll deleted
C:\WINDOWS\System32\urqRLefF.dll deleted
C:\WINDOWS\System32\yaIRBJlm.ini deleted
C:\WINDOWS\System32\yaIRBJlm.ini2 deleted

**smeenk** · 13-05-08, 13:33

Ik denk dat we inmiddels bijna alles verwijderd hebben

Download Deckard's System Scanner naar je Bureaublad.

Sluit alle toepassingen en vensters.
Dubbelklik op dss.exe om het te activeren, en volg de aanwijzingen.
Wanneer de scan volledig is, zal een tekstbestand - main.txt - openen.
Kopiëer (Ctrl+A gevolgd door Ctrl+C) en plak (Ctrl+V) de inhoud van main.txt in je volgende antwoord.

Opmerking: Sommige firewalls kunnen waarschuwen dat sigcheck.exe probeert verbinding te maken met het internet
- zorg dat sigcheck.exe toestemming krijgt om dit te doen !
Tevens kan het gebeuren dat je Antivirus DSS als verdacht aangeeft, of zelfs probeert te verwijderen.
Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de scan van DSS je Antivirus even uit te schakelen)

**Keye** · 13-05-08, 13:46

Wat krijg ik een schone PC !

Deckard's System Scanner v20071014.68
Run by Karen & Joop on 2008-05-13 13:41:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
87: 2008-05-13 11:41:44 UTC - RP233 - Deckard's System Scanner Restore Point
86: 2008-05-12 06:49:34 UTC - RP232 - Controlepunt van systeem
85: 2008-05-11 06:04:29 UTC - RP231 - Printerstuurprogramma Adobe PDF Converter is geïnstalleerd
84: 2008-05-10 19:28:47 UTC - RP230 - Last known good configuration
83: 2008-05-10 19:28:41 UTC - RP229 - Installed Palm Desktop by ACCESS

-- First Restore Point --
1: 2008-05-10 19:28:32 UTC - RP147 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Karen & Joop.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:10, on 13-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Palm\Hotsync.exe
C:\Documents and Settings\Karen & Joop\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Karen & Joop.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7691 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-123227-101 O2 - BHO: {b59b6647-91e9-1e88-9da4-123bc0a59e99} - {99e95a0c-b321-4ad9-88e1-9e197466b95b} - C:\WINDOWS\system32\eycetjuo.dll
backup-20080513-123227-184 O2 - BHO: (no name) - {0EBBD3C2-FCFD-46FF-BAE6-72FA961DF321} - C:\WINDOWS\system32\qoMghigg.dll (file missing)
backup-20080513-123227-943 O2 - BHO: (no name) - {ED77D2B9-2C51-4428-AC9C-1F391101994E} - C:\WINDOWS\system32\yaywxvUm.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>
R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>
R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 P1C1394 (Phase One 1394 Camera Driver) - c:\windows\system32\drivers\p1c1394.sys <Not Verified; Phase One A/S; Phase One digital imaging>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\windows\system32\drivers\blueletscoaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 GMSIPCI - g:\install\gmsipci.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 12:44:35 16384 --a------ C:\WINDOWS\system32\Restart.exe <Not Verified; WareSoft Software; restart>
2008-05-13 12:44:35 7048 --a------ C:\WINDOWS\system32\fixp.bat
2008-05-13 12:44:34 818420 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-05-13 12:44:34 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-05-13 12:16:22 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 12:15:57 0 d-------- C:\Program Files\SpywareBlaster
2008-05-13 11:30:23 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Malwarebytes
2008-05-13 11:29:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 11:29:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 11:29:09 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-12 21:23:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 18:57:19 0 d-------- C:\Program Files\Trend Micro
2008-05-12 12:00:44 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Lavasoft
2008-05-10 20:59:58 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-05-10 20:59:56 314368 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-05-10 20:59:54 0 d-------- C:\Program Files\Magic Video Converter
2008-05-10 18:26:35 0 d-------- C:\Documents and Settings\All Users\Application Data\HotSync
2008-05-10 18:25:56 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\HotSync
2008-05-10 16:19:16 53248 --a------ C:\WINDOWS\PalmDevC.dll <Not Verified; PalmSource, Inc; HotSync® Manager>
2008-05-10 16:18:51 0 d-------- C:\Program Files\palmOne
2008-05-10 09:05:45 0 d-------- C:\Program Files\Common Files\Real
2008-05-10 09:05:44 0 d-------- C:\Program Files\Real
2008-05-10 09:03:09 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Real
2008-05-09 21:20:43 0 d-------- C:\Program Files\Common Files\DataViz
2008-05-09 21:20:43 0 d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-05-09 21:20:37 0 d-------- C:\Program Files\Documents To Go
2008-05-09 21:20:06 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Leadertech
2008-05-07 17:34:05 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Canon
2008-05-07 17:26:04 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\ZoomBrowser EX
2008-05-07 17:08:44 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-07 17:04:40 0 d-------- C:\Program Files\Common Files\Canon
2008-05-05 17:53:13 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\GARMIN
2008-05-03 10:47:27 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Arcsoft
2008-05-03 10:46:37 0 d-------- C:\Program Files\Palm
2008-05-01 10:59:02 26 --a------ C:\WINDOWS\winstart.bat
2008-05-01 10:58:55 557056 --a------ C:\WINDOWS\system32\WONshell.dll <Not Verified; World Opponent Network\r\nA division of Havas Interactive; World Opponent Network WONshell>
2008-05-01 10:58:55 196608 --a------ C:\WINDOWS\system32\WONauth.dll <Not Verified; WON.net; a division of Havas Interactive; WON.net WONauth>
2008-05-01 10:58:55 233472 --a------ C:\WINDOWS\system32\SNWValid.dll <Not Verified; Havas Interactive; World Opponent Network WONplay>
2008-05-01 10:58:55 24928 --a------ C:\WINDOWS\system32\Sigres.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2008-05-01 10:58:55 1204224 --a------ C:\WINDOWS\system32\SierraNW.dll <Not Verified; Havas Interactive; World Opponent Network WONplay>
2008-05-01 10:58:55 44544 --a------ C:\WINDOWS\system32\GIF89.DLL <Not Verified; ; Gif89 Module>
2008-05-01 10:58:55 0 d-------- C:\Program Files\Sierra On-Line
2008-05-01 10:58:52 56832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-05-01 10:58:52 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-05-01 10:57:51 0 d-------- C:\Sierra
2008-05-01 09:59:34 0 d-------- C:\WINDOWS\system32\nl-nl
2008-05-01 09:54:41 0 d-------- C:\WINDOWS\network diagnostic
2008-04-19 12:05:35 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-04-19 12:05:33 0 d-------- C:\Program Files\CA
2008-04-17 10:27:17 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\IsolatedStorage
2008-04-17 10:21:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-17 10:21:20 0 d-------- C:\Program Files\Symantec
2008-04-17 10:21:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-16 19:05:40 457216 --a------ C:\WINDOWS\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
2008-04-16 19:05:39 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver>
2008-04-16 19:05:39 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-04-16 19:05:39 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
2008-04-16 19:05:37 23168 --a------ C:\WINDOWS\system32\drivers\p1c1394.sys <Not Verified; Phase One A/S; Phase One digital imaging>
2008-04-16 19:05:20 0 d-------- C:\Program Files\Phase One
2008-04-16 13:00:50 0 d-------- C:\Program Files\BreezeSys
2008-04-14 20:36:38 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Opera

-- Find3M Report ---------------------------------------------------------------

2008-05-13 11:29:09 0 d-------- C:\Program Files\Common Files
2008-05-11 22:50:50 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Vso
2008-05-11 08:11:16 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\AdobeUM
2008-05-07 17:09:24 0 d-------- C:\Program Files\Canon
2008-05-03 21:57:44 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-22 12:27:12 0 d-------- C:\Program Files\Rummi
2008-04-18 09:43:57 0 d-------- C:\Program Files\Luxor Mahjong
2008-04-13 20:33:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-07 21:13:43 0 d-------- C:\Program Files\IrfanView
2008-04-07 18:50:40 0 d-------- C:\Program Files\VSO
2008-03-30 19:36:49 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Azureus
2008-03-30 17:44:03 0 d-------- C:\Program Files\BFG
2008-03-30 17:38:08 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Thinstall
2008-03-30 13:14:53 0 d-------- C:\Program Files\Azureus
2008-03-30 10:04:39 512410 --a------ C:\WINDOWS\system32\perfh013.dat
2008-03-30 10:04:39 92052 --a------ C:\WINDOWS\system32\perfc013.dat
2008-03-25 19:34:41 0 d-------- C:\Program Files\PhotoRescue Advanced PC
2008-03-24 12:11:20 0 d-------- C:\Documents and Settings\Karen & Joop\Application Data\Adobe
2008-03-20 19:45:25 0 d-------- C:\Program Files\Belastingdienst
2008-03-20 19:42:20 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-20 19:42:20 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-03-20 19:42:20 0 d-------- C:\Program Files\OpenAL
2008-02-28 14:53:11 34 --a------ C:\Documents and Settings\Karen & Joop\Application Data\pcouffin.log
2008-02-28 14:53:00 47360 --a------ C:\Documents and Settings\Karen & Joop\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-02-28 14:53:00 1144 --a------ C:\Documents and Settings\Karen & Joop\Application Data\pcouffin.inf
2008-02-28 14:53:00 7887 --a------ C:\Documents and Settings\Karen & Joop\Application Data\pcouffin.cat
2008-02-15 07:18:32 1158 --a------ C:\WINDOWS\mozver.dat
2008-02-14 16:03:15 3414150 --a------ C:\WINDOWS\system32\exec1.exe
2008-02-13 21:30:13 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 21:13:37 270336 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-02-13 20:20:53 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-13 20:08:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-13 15:26:08 62 --ahs---- C:\Documents and Settings\Karen & Joop\Application Data\desktop.ini
2008-02-13 14:40:43 0 -rahs---- C:\MSDOS.SYS
2008-02-13 14:40:43 0 -rahs---- C:\IO.SYS
2008-02-13 14:40:43 0 --a------ C:\CONFIG.SYS
2008-02-13 14:40:43 0 --a------ C:\AUTOEXEC.BAT
2008-02-13 14:38:30 21748 --a------ C:\WINDOWS\system32\emptyregdb.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [29-05-2003 17:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [30-05-2003 10:42]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [13-02-2008 21:13]
"@"=""

"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [19-04-2008 16:10]
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 02:03]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Acrobat Snelle start.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Acrobat Snelle start.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Snelle start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\DataViz Inc Messenger.lnk
backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]
"C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phase One Media Reader]
C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

-- End of Deckard's System Scanner: finished at 2008-05-13 13:43:51 ------------

**smeenk** · 13-05-08, 13:51

Doe dit nog:

Je Java software is verouderd.
Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:

Download Java Runtime Environment (JRE) 6u6 en bewaar het naar je Bureaublad.
Sluit alle programma's die eventueel open zijn - Zeker je web browser!
Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
Herhaal dit tot alle oudere versies verdwenen zijn.
Na het verwijderen van alle oudere versies, herstart je pc.
Dubbelklik vervolgens op jre-6u6-windows-i586-p.exe op je Bureaublad om de nieuwste versie van Java te installeren.

Download ATF cleaner (mirror)(gemaakt door Atribune)

Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
Kijk hier hoe je je systeemherstel moet uitschakelen.
Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

Dan denk ik dat alles weer OK is.

Groeten smeenk

**Keye** · 13-05-08, 14:21

Hoi Smeenk,

Ik heb alles uitgevoerd, ben erg gelukkig
dat alles weer prima werkt en in orde is

.

Heel erg bedankt voor je tijd en moeite !!

Groetjes,
Karen

**smeenk** · 13-05-08, 15:02

Graag gedaan hoor Karen

Mededeling

Google wil niet meer zoeken

Google wil niet meer zoeken

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment