Malware defense besmetting

Will F · 13 januari 2010

Ook mijn pc is geinfecteerd met Malware Defense, ik heb MD via programma's verwijderen uit de map software verwijderd en tevens de map Malware uit de map program files verwijderd. Mijn Mc afee scanner heeft ie ook uitgeschakeld. Gaarne uw hulp; Hier mijn HJT log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 14:21:54, on 13-1-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Fighters\SPYWAREfighter\SWPROTray.exe

C:\Program Files\Fighters\VIRUSfighter\VFPROTray.exe

C:\DOCUME~1\WFV\LOCALS~1\Temp\settdebugx.exe

C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe

C:\Program Files\Wireless\Client Manager\CMAGS.EXE

C:\DOCUME~1\WFV\LOCALS~1\Temp\wscsvc32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Laptops, Desktop Computers, Monitors, Printers & PC Accessories | Dell United Kingdom

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nu.nl | Het laatste nieuws het eerst op nu.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Laptops, Desktop Computers, Monitors, Printers & PC Accessories | Dell United Kingdom

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.246.191.42:3124

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [sWPROguard] C:\Program Files\Fighters\SPYWAREfighter\SWPROTray.exe

O4 - HKLM\..\Run: [VFPROguard] C:\Program Files\Fighters\VIRUSfighter\VFPROTray.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

O4 - HKCU\..\Run: [settdebugx.exe] C:\DOCUME~1\WFV\LOCALS~1\Temp\settdebugx.exe

O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AVerTV USB 2.0 plus.lnk = C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Wireless Client Manager.lnk = ?

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.financetelevision.nl

O15 - Trusted Zone: www.mobile.de

O15 - Trusted Zone: Van der Hoek makelaars | Taxeurs onroerend goed

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/240ca0ec9f3be660b105/netzip/RdxIE601.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp08.photoprintit.de/microsite/2663/defaults/activex/IPSUploader.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AV Engine Scanning Service - Unknown owner - C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Common Toolkit Service - SPAMfighter - C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 11537 bytes

kape · 13 januari 2010

Start Hijackthis op. Ben je gebruiker van Vista kies dan voor “Run as administrator" of "Uitvoeren als administrator". Selecteer “Do a system scan only”. Selecteer alleen de items die hieronder zijn genoemd:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.246.191.42:3124

O4 - HKCU\..\Run: [settdebugx.exe] C:\DOCUME~1\WFV\LOCALS~1\Temp\settdebugx.exe

O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" –noscan

O4 - Global Startup: Wireless Client Manager.lnk = ?

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

Klik op 'Fix checked' om de items te verwijderen.

Download MBAM (Malwarebytes' Anti-Malware).

Dubbelklik op mbam-setup.exe om het programma te installeren.

Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".

Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.

Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.

Het scannen kan een tijdje duren, dus wees geduldig.

Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.

Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.

Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder).

Indien er de rootkit (TDSS) aanwezig is, zal MBAM vragen te herstarten. Doe dit dan ook.

MBAM zal na de herstart opnieuw scannen en de rootkit verwijderen.

Het log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in het programma.

Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.

Will F · 13 januari 2010

Dank je Kape voor je reactie. MBAM kreeg ik niet geïnstalleerd, dus heb ik Combofix geprobeerd zoals je hier http://www.pc-helpforum.be/f163/malware-defense-20761/ adviseerde. Het enige dat niet lukte was het volledig uitschakelen van Mc Afee alvorens combofix te starten. Ik vond geen bestanden van McAfee in windowstaakbeheer en ook stond er niets meer in onderin de taskbar. Via HJT nogwel wat mcafee bestanden verwijderd. Maargoed hieronder de 2 logjes; mijn pc loopt al stukken beter! Hoe nu verder?

ComboFix 10-01-13.06 - WFV 13-01-2010 21:36:50.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2046.1459 [GMT 1:00]

Gestart vanuit: c:\documents and settings\WFV\Bureaublad\scan.exe

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: VIRUSfighter *On-access scanning disabled* (Outdated) {F16C9013-991A-461a-A680-841CCEE65E7D}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Downloaded Program Files\RdxIE.dll

c:\windows\system32\~.exe

c:\windows\system32\drivers\H8SRTfaqjkwnsqt.sys

c:\windows\system32\H8SRThbbgnvpxmy.dll

c:\windows\system32\h8srtkrl32mainweq.dll

c:\windows\system32\H8SRTnkdwkmppad.dat

c:\windows\system32\H8SRTqqxedrqhsf.dll

c:\windows\system32\H8SRTrsiomyrsrq.dll

c:\windows\system32\h8srtshsyst.dll

c:\windows\system32\H8SRTyxjkoltyvi.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

(((((((((((((((((((( Bestanden Gemaakt van 2009-12-13 to 2010-01-13 ))))))))))))))))))))))))))))))

.

2010-01-13 11:48 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-10 15:02 . 2010-01-10 15:02 -------- d-----w- c:\program files\TrendMicro

2010-01-10 14:10 . 2010-01-10 14:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5163CD15-ECCB-48A1-8C5C-22A36002B9DB}

2010-01-10 14:08 . 2010-01-10 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\clp

2010-01-10 14:07 . 2010-01-10 14:07 -------- d-----w- c:\documents and settings\WFV\Application Data\Common Toolkit Suite

2010-01-10 14:07 . 2010-01-10 14:12 -------- d-----w- c:\program files\Fighters

2010-01-10 14:07 . 2010-01-13 20:36 -------- d-----w- c:\program files\Common Files\Common Toolkit Suite

2010-01-10 14:07 . 2010-01-10 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Toolkit Suite

2010-01-10 14:04 . 2010-01-10 14:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7516B6E8-5C01-4895-B079-DFC32A4ADEE1}

2010-01-10 14:03 . 2010-01-10 14:03 -------- d-----w- c:\documents and settings\WFV\Application Data\Fighters

2010-01-10 14:03 . 2010-01-10 14:03 -------- d-----w- c:\documents and settings\WFV\Local Settings\Application Data\PackageAware

2010-01-09 22:37 . 2010-01-09 22:37 -------- d-----w- c:\documents and settings\WFV\Local Settings\Application Data\Threat Expert

2010-01-09 22:37 . 2009-11-10 09:28 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-09 22:37 . 2009-11-10 09:26 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-09 22:37 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip

2010-01-09 22:37 . 2009-10-28 00:36 1152444 ----a-w- c:\windows\UDB.zip

2010-01-09 22:37 . 2009-11-10 09:28 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-09 22:37 . 2009-11-10 09:28 1640400 ----a-w- c:\windows\PCTBDCore.dll

2010-01-09 22:36 . 2009-10-30 10:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-01-09 22:35 . 2009-11-09 10:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-01-09 22:35 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-01-09 22:35 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-01-09 22:35 . 2010-01-09 22:35 -------- d-----w- c:\program files\Common Files\PC Tools

2010-01-09 22:35 . 2010-01-09 22:35 -------- d-----w- c:\documents and settings\WFV\Application Data\PC Tools

2010-01-09 22:35 . 2010-01-09 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-01-09 22:35 . 2010-01-13 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-09 21:40 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-01-09 21:40 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-01-09 21:40 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-01-09 21:40 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr

2010-01-09 21:40 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-01-09 21:40 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-01-09 21:40 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-01-09 21:40 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-01-09 21:39 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-13 19:57 . 2005-11-08 11:17 -------- d-----w- c:\program files\Spyware Doctor

2010-01-09 21:43 . 2004-10-23 14:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-09 21:22 . 2009-12-04 20:07 -------- d-----w- c:\program files\Common Files\McAfee

2010-01-09 20:56 . 2009-12-04 20:06 -------- d-----w- c:\program files\McAfee

2010-01-09 20:56 . 2009-11-22 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-01-04 19:32 . 2007-12-10 21:00 -------- d-----w- c:\documents and settings\WFV\Application Data\ZoomBrowser EX

2010-01-04 19:32 . 2007-12-10 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2009-12-11 12:34 . 2009-12-11 12:34 10264 ----a-w- c:\windows\system32\drivers\avfsfilter.sys

2009-12-09 11:11 . 2004-03-26 13:18 54350 ----a-w- c:\windows\system32\PERFC013.DAT

2009-12-09 11:11 . 2004-03-26 13:18 365848 ----a-w- c:\windows\system32\PERFH013.DAT

2009-12-08 13:07 . 2005-01-27 20:59 46280 ----a-w- c:\documents and settings\WFV\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-04 20:13 . 2009-12-04 20:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-12-04 20:09 . 2009-12-04 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-12-04 20:07 . 2009-12-04 20:07 -------- d-----w- c:\program files\McAfee.com

2009-11-22 18:50 . 2005-11-08 11:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-22 18:50 . 2005-11-08 11:15 -------- d-----w- c:\program files\Eset

2009-11-22 14:30 . 2005-11-08 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-21 16:03 . 2004-03-26 20:31 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-04 15:54 . 2009-12-04 20:07 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-11-04 15:54 . 2009-12-04 20:07 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-11-04 15:54 . 2009-12-04 20:07 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-11-04 15:54 . 2009-11-04 15:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-11-04 15:53 . 2009-12-04 20:04 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-10-29 07:44 . 2004-11-11 18:53 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:40 . 2004-08-04 08:03 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:40 . 2004-08-04 08:03 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 335872]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-27 61440]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"SWPROguard"="c:\program files\Fighters\SPYWAREfighter\SWPROTray.exe" [2009-12-11 574088]

"VFPROguard"="c:\program files\Fighters\VIRUSfighter\VFPROTray.exe" [2009-12-11 672392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

AVerTV USB 2.0 plus.lnk - c:\program files\AVerTV USB 2.0 Plus\QuickTV.exe [2004-7-23 253952]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9-1-2010 23:35 207792]

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9-1-2010 22:40 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9-1-2010 22:40 20560]

R2 AV Engine Scanning Service;AV Engine Scanning Service;c:\program files\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe [11-12-2009 13:34 661888]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [9-1-2010 23:37 112592]

R2 Common Toolkit Service;Common Toolkit Service;c:\program files\Common Files\Common Toolkit Suite\FighterSuiteService.exe [11-12-2009 13:44 676488]

S3 AVFSFilter;AVFSFilter;c:\windows\SYSTEM32\DRIVERS\avfsfilter.sys [11-12-2009 13:34 10264]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9-1-2010 23:35 359624]

S3 StkMini;AVerTV USB 2.0 Plus Video Capture;c:\windows\SYSTEM32\DRIVERS\StkMini.sys [6-8-2004 14:47 170240]

S3 wlags51b;Wireless LAN USB Driver;c:\windows\SYSTEM32\DRIVERS\wlags51b.sys [17-10-2004 20:25 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Inhoud van de 'Gedeelde Taken' map

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.nu.nl/

uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: alex.nl\www.login

Trusted Zone: financetelevision.nl \www

Trusted Zone: mobile.de\www

Trusted Zone: vanderhoekmakelaars.nl\www

DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp08.photoprintit.de/microsite/2663/defaults/activex/IPSUploader.cab

FF - ProfilePath - c:\documents and settings\WFV\Application Data\Mozilla\Firefox\Profiles\l3pbc6ws.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.telegraaf.nl/dft/

FF - plugin: c:\documents and settings\WFV\Application Data\Mozilla\Firefox\Profiles\l3pbc6ws.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\WFV\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

.

- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-01-13 22:03

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AV Engine Scanning Service]

"ImagePath"="C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AV Engine Scanning Service]

"ImagePath"="C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(1788)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel Application Accelerator\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\progra~1\McAfee\MSM\McSmtFwk.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Voltooingstijd: 2010-01-13 22:15:57 - machine werd herstart

ComboFix-quarantined-files.txt 2010-01-13 21:15

Pre-Run: 37.171.941.376 bytes beschikbaar

Post-Run: 39.883.718.656 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B1CD6AEBA732F46FD1870BEC2CD84EC7

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 22:28:41, on 13-1-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Common Files\Common Toolkit Suite\FighterSuiteService.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Fighters\SPYWAREfighter\SWPROTray.exe

C:\Program Files\Fighters\VIRUSfighter\VFPROTray.exe

C:\Program Files\AVerTV USB 2.0 Plus\QuickTV.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe