Ga naar inhoud

Aanbevolen berichten

Geplaatst:

bij het opstarten krijg ik iedere keer de melding van een error van sw24.exe

hier is mijn logje

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:53:06, on 27-3-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\winsys2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sW20] C:\WINDOWS\system32\sw20.exe

O4 - HKLM\..\Run: [sW24] C:\WINDOWS\system32\sw24.exe

O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [bM33a488e7] Rundll32.exe "C:\WINDOWS\system32\xntjnbii.dll",s

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206556990062

O20 - Winlogon Notify: vtutqrq - vtutqrq.dll (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 5266 bytes

Geplaatst:

sw24.exe behoort normaal tot een grafische kaart van MGI, maar kan ook een besmetting zijn als je dit soort kaart niet hebt.

Download Combofix en zet het op je Bureaublad.

Dubbelklik op Combofix.exe en volg de instructies, aanvaard de disclaimer door y te typen. Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.

NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, moet je dit toestaan.

Hang je log van Combofix aan je volgend bericht.

Geplaatst:

hier is mijn log

ComboFix 08-03-26.3 - Geoffrey 2008-03-27 20:00:50.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1614 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Geoffrey\Bureaublad\ComboFix.exe

* Nieuw herstelpunt werd aangemaakt

* Resident AV is active

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\BM33a488e7.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\qtvwa.ini2

C:\WINDOWS\system32\xntjnbii.dll

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-27 to 2008-03-27 ))))))))))))))))))))))))))))))

.

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr-h----- C:\Documents and Settings\LocalService\Onlangs geopend

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Mijn documenten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad

2008-03-27 14:31 . 2008-03-27 14:31 1,583,561 ---hs---- C:\WINDOWS\system32\opppoqhj.ini

2008-03-27 13:50 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm

2008-03-27 13:50 . 2006-06-20 10:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll

2008-03-27 13:48 . 2008-03-27 13:48 <DIR> d-------- C:\Program Files\Steinberg

2008-03-27 13:48 . 2008-03-27 13:50 <DIR> d-------- C:\Program Files\Image-Line

2008-03-27 13:48 . 2003-06-20 13:28 1,777,664 --a------ C:\WINDOWS\system32\gdiplus.dll

2008-03-27 13:44 . 2008-03-27 18:38 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-03-27 13:24 . 2008-03-27 17:59 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Ahead

2008-03-27 13:07 . 2008-03-27 13:07 <DIR> d-------- C:\Program Files\Nero

2008-03-27 13:07 . 2008-03-27 13:12 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-03-27 12:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-03-27 12:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-03-27 09:47 . 2008-03-27 13:13 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-03-27 09:47 . 2008-03-27 09:47 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\PC Tools

2008-03-27 09:47 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-03-27 09:47 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-03-27 09:47 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-03-27 09:47 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-03-27 09:29 . 2008-03-27 09:46 <DIR> d-------- C:\Documents and Settings\Geoffrey\Contacts

2008-03-26 21:43 . 2008-03-26 21:43 268 --ah----- C:\sqmdata02.sqm

2008-03-26 21:43 . 2008-03-26 21:43 244 --ah----- C:\sqmnoopt02.sqm

2008-03-26 20:47 . 2008-03-26 20:47 268 --ah----- C:\sqmdata01.sqm

2008-03-26 20:47 . 2008-03-26 20:47 244 --ah----- C:\sqmnoopt01.sqm

2008-03-26 19:30 . 2008-03-26 19:30 268 --ah----- C:\sqmdata00.sqm

2008-03-26 19:30 . 2008-03-26 19:30 244 --ah----- C:\sqmnoopt00.sqm

2008-03-26 19:16 . 2008-03-26 19:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-26 19:15 . 2008-03-26 19:20 <DIR> d-------- C:\Program Files\Windows Live

2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-26 19:12 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll

2008-03-26 19:02 . 2008-03-26 19:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2008-03-26 18:59 . 2008-03-26 18:59 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-03-26 18:51 . 2008-03-26 18:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-03-26 18:51 . 2008-03-27 17:42 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-03-26 18:51 . 2008-03-26 20:51 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-03-26 18:51 . 2008-03-27 17:42 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 22,328 --a------ C:\Documents and Settings\Geoffrey\Application Data\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 319 --a------ C:\WINDOWS\game.ini

2008-03-26 18:47 . 2008-03-26 18:47 <DIR> d-------- C:\Program Files\Activision

2008-03-26 18:32 . 2008-03-26 18:32 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-26 18:25 . 2008-03-26 18:25 32,764 --a------ C:\WINDOWS\17PHolmes572.exe

2008-03-26 18:20 . 2008-03-26 18:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-03-26 18:20 . 2008-03-27 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Program Files\Xfire

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Xfire

2008-03-26 18:01 . 2004-08-04 01:54 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2008-03-26 18:01 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2008-03-14 00:05 . 2008-03-14 00:05 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-03-13 20:20 . 2008-03-13 20:20 204,800 --a------ C:\WINDOWS\TinyBHO.dll

2008-03-01 04:56 . 2008-03-01 04:56 71,176 --a------ C:\WINDOWS\system32\drivers\epfw.sys

2008-03-01 04:56 . 2008-03-01 04:56 54,280 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys

2008-03-01 04:56 . 2008-03-01 04:56 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys

2008-03-01 04:53 . 2008-03-01 04:53 29,704 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

2008-03-01 04:52 . 2008-03-01 04:52 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 17:51 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\ESET

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET

2008-03-26 16:36 --------- d-----w C:\Program Files\ESET

2008-03-26 16:31 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-03-26 16:31 --------- d-----w C:\Program Files\Realtek

2008-03-26 16:30 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\InstallShield

2008-03-26 16:29 --------- d-----w C:\Program Files\DIFX

2008-03-26 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-03-26 16:13 --------- d-----w C:\Program Files\microsoft frontpage

2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll

2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll

2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll

2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll

2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll

2008-02-05 22:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 11:54 16116224 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-03-01 04:54 1443072]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]

"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]

"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-15 03:58 208896]

"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-12-15 03:58 69632]

"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-12-15 03:59 217088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]

"NWEReboot"="" []

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutqrq]

vtutqrq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-27 20:03:54

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\wdfmgr.exe

.

**************************************************************************

.

Voltooingstijd: 2008-03-27 20:04:45 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-27 19:04:42

Pre-Run: 130,414,055,424 bytes beschikbaar

Post-Run: 130,367,037,440 bytes beschikbaar

.

2008-03-27 12:42:34 --- E O F ---

Geplaatst:

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

C:\WINDOWS\system32\opppoqhj.ini

C:\sqmdata02.sqm

C:\sqmnoopt02.sqm

C:\sqmdata01.sqm

C:\sqmnoopt01.sqm

C:\sqmdata00.sqm

C:\sqmnoopt00.sqm

C:\WINDOWS\17PHolmes572.exe

C:\WINDOWS\TinyBHO.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutqrq]

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw logje van HijackThis.

Geplaatst:

ComboFix 08-03-26.3 - Geoffrey 2008-03-28 8:34:51.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1624 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Geoffrey\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Geoffrey\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

* Resident AV is active

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::

C:\sqmdata00.sqm

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmnoopt00.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\WINDOWS\17PHolmes572.exe

C:\WINDOWS\system32\opppoqhj.ini

C:\WINDOWS\TinyBHO.dll

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\sqmdata00.sqm

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmnoopt00.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\WINDOWS\17PHolmes572.exe

C:\WINDOWS\system32\opppoqhj.ini

C:\WINDOWS\TinyBHO.dll

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-28 to 2008-03-28 ))))))))))))))))))))))))))))))

.

2008-03-27 21:04 . 2008-03-27 21:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-03-27 21:04 . 2008-03-27 21:03 298,104 --a------ C:\WINDOWS\system32\imon.dll

2008-03-27 21:04 . 2008-03-27 21:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-03-27 20:57 . 2008-03-27 21:31 <DIR> d-------- C:\Program Files\ESET

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr-h----- C:\Documents and Settings\LocalService\Onlangs geopend

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Mijn documenten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad

2008-03-27 13:50 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm

2008-03-27 13:50 . 2006-06-20 10:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll

2008-03-27 13:48 . 2008-03-27 13:48 <DIR> d-------- C:\Program Files\Steinberg

2008-03-27 13:48 . 2008-03-27 13:50 <DIR> d-------- C:\Program Files\Image-Line

2008-03-27 13:48 . 2003-06-20 13:28 1,777,664 --a------ C:\WINDOWS\system32\gdiplus.dll

2008-03-27 13:44 . 2008-03-27 18:38 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-03-27 13:24 . 2008-03-27 17:59 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Ahead

2008-03-27 13:07 . 2008-03-27 13:07 <DIR> d-------- C:\Program Files\Nero

2008-03-27 13:07 . 2008-03-27 13:12 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-03-27 12:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-03-27 12:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-03-27 09:47 . 2008-03-27 13:13 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-03-27 09:47 . 2008-03-27 09:47 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\PC Tools

2008-03-27 09:47 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-03-27 09:47 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-03-27 09:47 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-03-27 09:47 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-03-27 09:29 . 2008-03-27 09:46 <DIR> d-------- C:\Documents and Settings\Geoffrey\Contacts

2008-03-26 19:16 . 2008-03-26 19:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-26 19:15 . 2008-03-26 19:20 <DIR> d-------- C:\Program Files\Windows Live

2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-26 19:12 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll

2008-03-26 19:02 . 2008-03-26 19:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2008-03-26 18:59 . 2008-03-26 18:59 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-03-26 18:51 . 2008-03-26 18:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-03-26 18:51 . 2008-03-27 21:37 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-03-26 18:51 . 2008-03-26 20:51 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-03-26 18:51 . 2008-03-27 21:38 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 22,328 --a------ C:\Documents and Settings\Geoffrey\Application Data\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 319 --a------ C:\WINDOWS\game.ini

2008-03-26 18:47 . 2008-03-26 18:47 <DIR> d-------- C:\Program Files\Activision

2008-03-26 18:32 . 2008-03-26 18:32 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-26 18:20 . 2008-03-26 18:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-03-26 18:20 . 2008-03-28 08:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Program Files\Xfire

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Xfire

2008-03-26 18:01 . 2004-08-04 01:54 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2008-03-26 18:01 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2008-03-14 00:05 . 2008-03-14 00:05 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 17:51 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\ESET

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET

2008-03-26 16:31 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-03-26 16:31 --------- d-----w C:\Program Files\Realtek

2008-03-26 16:30 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\InstallShield

2008-03-26 16:29 --------- d-----w C:\Program Files\DIFX

2008-03-26 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-03-26 16:13 --------- d-----w C:\Program Files\microsoft frontpage

2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll

2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll

2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll

2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll

2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll

2008-02-05 22:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 11:54 16116224 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]

"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]

"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-15 03:58 208896]

"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-12-15 03:58 69632]

"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-12-15 03:59 217088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]

"NWEReboot"="" []

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-27 21:03 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutqrq]

vtutqrq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-28 08:35:44

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\Program Files\Eset\pr_imon.dll

.

Voltooingstijd: 2008-03-28 8:36:03

ComboFix-quarantined-files.txt 2008-03-28 07:35:55

ComboFix2.txt 2008-03-27 19:04:45

Pre-Run: 130,347,724,800 bytes beschikbaar

Post-Run: 130,335,363,072 bytes beschikbaar

.

2008-03-27 12:42:34 --- E O F ---

mijn spyware doctor gaf wel een trojan aan bij het uitvoeren van combofix een ook een virus.

Geplaatst:

Omdat niet helemaal duidelijk is of die bestanden

sw20.exe

sw24.exe

nu legitiem zijn of niet, gaan we daar even een truukje mee doen.

Open een map op je bureaublad (noem die bvb. SW).

Wijzig de bestanden

C:\WINDOWS\system32\sw20.exe -> naar C:\WINDOWS\system32\sw20.old

C:\WINDOWS\system32\sw24.exe -> naar C:\WINDOWS\system32\sw24.old

en verplaats deze beide naar de map SW op je bureaublad.

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SW20"="C:\WINDOWS\system32\sw20.exe"

"SW24"="C:\WINDOWS\system32\sw24.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutqrq]

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Download SDFiX naar je bureaublad.

Dubbelklik op SDFix.exe en kies voor Install om het tooltje uit te pakken in een eigen map op je bureaublad.

Herstart dan je PC in veilige modus.

In veilige modus, open de SDFix map op je bureaublad en dubbelklik op RunThis.bat om het tooltje te starten.

Typ Y om het clean proces te starten.

Het verwijdert alle Trojan Services of Registry Entries die met deze infectie te maken hebben, als het tooltje klaar is zal het jou vertellen om eender welke toets te drukken om je pc te herstarten, doe dit ook.

Wanneer de pc herstart zal het tooltje opnieuw runnen en het opruimproces beëindigen en je de melding Finished tonen, druk dan op eender welke toets om het scriptje te beëindigen en je bureaublad zullen tevoorschijn komen.

Wanneer je bureaublad icoontjes verschijnen zal het rapportje van SDFix openen en ook in de map bewaren onder de naam Report.txt.

Start terug op in normale modus en hang je log van SDFix en Combofix in een volgend bericht. En laat ook eens weten of je die foutmelding bij opstarten nog krijgt ?

P.S. : Spyware Doctor en Combofix samen geeft wel eens rare resultaten. Voorlopig niet echt iets om je druk om te maken.

Geplaatst:

de error lijkt weg te zijn.

combofix logje

ComboFix 08-03-26.3 - Geoffrey 2008-03-28 10:27:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1635 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Geoffrey\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Geoffrey\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

* Resident AV is active

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-28 to 2008-03-28 ))))))))))))))))))))))))))))))

.

2008-03-28 10:17 . 2008-03-28 10:17 <DIR> d-------- C:\WINDOWS\ERUNT

2008-03-27 21:04 . 2008-03-27 21:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-03-27 21:04 . 2008-03-27 21:03 298,104 --a------ C:\WINDOWS\system32\imon.dll

2008-03-27 21:04 . 2008-03-27 21:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-03-27 20:57 . 2008-03-28 08:43 <DIR> d-------- C:\Program Files\ESET

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr-h----- C:\Documents and Settings\LocalService\Onlangs geopend

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Mijn documenten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

2008-03-27 17:45 . 2008-03-27 17:45 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad

2008-03-27 13:50 . 2002-07-08 00:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm

2008-03-27 13:50 . 2006-06-20 10:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll

2008-03-27 13:48 . 2008-03-27 13:48 <DIR> d-------- C:\Program Files\Steinberg

2008-03-27 13:48 . 2008-03-27 13:50 <DIR> d-------- C:\Program Files\Image-Line

2008-03-27 13:48 . 2003-06-20 13:28 1,777,664 --a------ C:\WINDOWS\system32\gdiplus.dll

2008-03-27 13:44 . 2008-03-27 18:38 116 --a------ C:\WINDOWS\NeroDigital.ini

2008-03-27 13:24 . 2008-03-27 17:59 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Ahead

2008-03-27 13:07 . 2008-03-27 13:07 <DIR> d-------- C:\Program Files\Nero

2008-03-27 13:07 . 2008-03-27 13:12 <DIR> d-------- C:\Program Files\Common Files\Ahead

2008-03-27 12:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-03-27 12:58 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2008-03-27 09:47 . 2008-03-27 13:13 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-03-27 09:47 . 2008-03-27 09:47 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\PC Tools

2008-03-27 09:47 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-03-27 09:47 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-03-27 09:47 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-03-27 09:47 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-03-27 09:29 . 2008-03-27 09:46 <DIR> d-------- C:\Documents and Settings\Geoffrey\Contacts

2008-03-26 19:16 . 2008-03-26 19:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-26 19:15 . 2008-03-26 19:20 <DIR> d-------- C:\Program Files\Windows Live

2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-26 19:12 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll

2008-03-26 19:02 . 2008-03-26 19:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire

2008-03-26 18:59 . 2008-03-26 18:59 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-03-26 18:51 . 2008-03-26 18:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-03-26 18:51 . 2008-03-28 09:03 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-03-26 18:51 . 2008-03-26 20:51 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-03-26 18:51 . 2008-03-28 09:03 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 22,328 --a------ C:\Documents and Settings\Geoffrey\Application Data\PnkBstrK.sys

2008-03-26 18:51 . 2008-03-26 18:51 319 --a------ C:\WINDOWS\game.ini

2008-03-26 18:47 . 2008-03-26 18:47 <DIR> d-------- C:\Program Files\Activision

2008-03-26 18:32 . 2008-03-26 18:32 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-26 18:20 . 2008-03-26 18:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-03-26 18:20 . 2008-03-28 08:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Program Files\Xfire

2008-03-26 18:15 . 2008-03-26 18:17 <DIR> d-------- C:\Documents and Settings\Geoffrey\Application Data\Xfire

2008-03-26 18:01 . 2004-08-04 01:54 57,856 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2008-03-26 18:01 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2008-03-14 00:05 . 2008-03-14 00:05 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 17:51 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\ESET

2008-03-26 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET

2008-03-26 16:31 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-03-26 16:31 --------- d-----w C:\Program Files\Realtek

2008-03-26 16:30 --------- d-----w C:\Documents and Settings\Geoffrey\Application Data\InstallShield

2008-03-26 16:29 --------- d-----w C:\Program Files\DIFX

2008-03-26 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-03-26 16:13 --------- d-----w C:\Program Files\microsoft frontpage

2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll

2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll

2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll

2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll

2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll

2008-02-05 22:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll

.

((((((((((((((((((((((((((((( snapshot@2008-03-28_ 8.35.52,09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-03-28 02:48:45 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

+ 2008-03-28 09:18:10 1,495,040 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2008-03-28 09:18:10 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-03-28 02:48:45 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2008-03-28 09:17:58 1,495,040 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2008-03-28 09:17:58 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

- 2004-08-11 00:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll

+ 2007-10-20 05:01:32 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll

+ 2006-12-15 02:58:28 208,896 ----a-r C:\WINDOWS\system32\sw20.old.exe

+ 2006-12-15 02:58:48 69,632 ----a-r C:\WINDOWS\system32\sw24.old.exe

- 2004-08-11 00:45:04 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll

+ 2007-10-20 05:01:32 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 11:54 16116224 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]

"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]

"SW20"="C:\WINDOWS\system32\sw20.exe" [ ]

"SW24"="C:\WINDOWS\system32\sw24.exe" [ ]

"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-12-15 03:59 217088]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]

"NWEReboot"="" []

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-27 21:03 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutqrq]

vtutqrq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"C:\\Program Files\\Xfire\\xfire.exe"=

"C:\\Documents and Settings\\Geoffrey\\Bureaublad\\cod 4\\Cod4bot.exe"=

S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-28 10:27:38

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe

-> C:\Program Files\Eset\pr_imon.dll

.

Voltooingstijd: 2008-03-28 10:27:59

ComboFix-quarantined-files.txt 2008-03-28 09:27:50

ComboFix2.txt 2008-03-28 07:36:04

ComboFix3.txt 2008-03-27 19:04:45

Pre-Run: 130,277,122,048 bytes beschikbaar

Post-Run: 130,266,501,120 bytes beschikbaar

.

2008-03-28 09:07:11 --- E O F ---

SDfix logje

SDFix: Version 1.163

Run by Geoffrey on vr 28-03-2008 at 10:20

Microsoft Windows XP [versie 5.1.2600]

Running From: C:\DOCUME~1\Geoffrey\BUREAU~1\SW\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-28 10:23:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D\n\21]

"DisplayName"="\xb973\x778e"

"DeviceDesc"="\xb973\x778e"

"ProviderName"="\x27fc\21\xee18\x7c90\x286c\21\b"

"MFG"="\xc1bf\b\xe12b\x1803\x524"

"ReinstallString"=".10.1000.7"

"DeviceInstanceIds"=str(7):"d:\chipset\rs690\sbdrv\smbus\smbusati.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 1

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare "

"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\Documents and Settings\\Geoffrey\\Bureaublad\\cod 4\\Cod4bot.exe"="C:\\Documents and Settings\\Geoffrey\\Bureaublad\\cod 4\\Cod4bot.exe:*:Enabled:Microsot Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\DOCUME~1\Geoffrey\BUREAU~1\SW\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 26 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b8d5769ed022fab7a177db7759e6a27b\BITF.tmp"

Finished!

Geplaatst:

OK, probleem opgelost, dan laten we het daar bij :)

Laat die twee bestandjes sw20.old en sw24.old (voorlopig) nog eventjes in die map op je bureaublad zitten. Als er bij gebruik van je PC in de volgende dagen geen enkel programma meer naar deze bestanden vraagt, mag je die map na enkele dagen van je PC verwijderen. Want dan betekent het inderdaad dat het geen legitieme en noodzakelijke bestanden waren (en dus wel mogelijke gevolgen van een besmetting).

Nu nog even de gebruikte programma's verwijderen, even cleanen en de besmette herstelpunten verwijderen.

Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u

Combofix wordt verwijderd en een nieuw systeemherstelpunt wordt aangemaakt.

Verwijder SDFix via Windows Verkenner.

Download CCleaner.

Installeer het en start het op. Klik in de linkse kolom op “Opties”. Selecteer het tabblad ‘Geavanceerd’ en haal het vinkje weg voor “Verwijder alleen tijdelijke bestanden in de Windows systeemmap die ouder zijn dan 48 uur” en sluit hierna het programma.

Start CCleaner op en klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scannen voor fouten’. Als er fouten gevonden worden klik je op ”alle fouten herstellen” en ”OK”. Sluit hierna CCleaner terug af.

Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen.

- Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.

- Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".

- Zet een vinkje voor "Systeemherstel uitschakelen".

- Klik "Toepassen".

- Windows vraagt of je dat zeker weet.

- Klik "Ja".

- Klik "OK".

- Start de pc opnieuw op.

- Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.

- Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"

- Klik "Ja".

- Verwijder het vinkje voor "Systeemherstel uitschakelen".

- Klik "Toepassen".

- Klik "OK".

- Start de pc opnieuw op

- Er is nu een nieuw herstelpunt aangemaakt.

That's it !

Gast
Dit topic is nu gesloten voor nieuwe reacties.
×
×
  • Nieuwe aanmaken...

Belangrijke informatie

We hebben cookies geplaatst op je toestel om deze website voor jou beter te kunnen maken. Je kunt de cookie instellingen aanpassen, anders gaan we er van uit dat het goed is om verder te gaan.