[OPGELOST] msn virus, weeral, maar help aub

nele · 28 maart 2008

Zenuwen ja heb me al dikwijls vervloekt deze dagen, ook zoals de andere personen hier in huis, maar zo leert men wel vlug, spijtig

ComboFix 08-03-26.1 - Beheerder 2008-03-28 16:58:25.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.165 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Beheerder\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Beheerder\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

* Resident AV is active

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\WINDOWS\system32\kshsxl.exe

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\CPV

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\WINDOWS\ERUNT\SDFIX

C:\WINDOWS\ERUNT\SDFIX\DEFAULT

C:\WINDOWS\ERUNT\SDFIX\ERDNT.CON

C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

C:\WINDOWS\ERUNT\SDFIX\ERDNT.INF

C:\WINDOWS\ERUNT\SDFIX\ERDNTDOS.LOC

C:\WINDOWS\ERUNT\SDFIX\ERDNTWIN.LOC

C:\WINDOWS\ERUNT\SDFIX\Find2.txt

C:\WINDOWS\ERUNT\SDFIX\report2.txt

C:\WINDOWS\ERUNT\SDFIX\SAM

C:\WINDOWS\ERUNT\SDFIX\SECURITY

C:\WINDOWS\ERUNT\SDFIX\SOFTWARE

C:\WINDOWS\ERUNT\SDFIX\SYSTEM

C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

C:\WINDOWS\system32\kshsxl.exe

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-28 to 2008-03-28 ))))))))))))))))))))))))))))))

.

2008-03-28 15:19 . 2008-03-28 16:58 <DIR> d-------- C:\WINDOWS\ERUNT

2008-03-28 15:02 . 2008-03-28 15:36 <DIR> d-------- C:\SDFix

2008-03-27 18:28 . 2008-03-27 18:28 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-26 21:05 . 2008-03-27 16:50 12,783,882 -r-hs---- C:\AVG7DB_F.DAT

2008-03-26 20:44 . 2008-03-26 20:44 12,394,737 --------- C:\AVG7QT.DAT

2008-03-26 20:43 . 2008-03-26 20:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

2008-03-26 20:43 . 2008-03-26 20:43 <DIR> d-------- C:\Documents and Settings\Beheerder\Application Data\AVG7

2008-03-26 20:42 . 2008-03-26 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-03-26 20:42 . 2008-03-27 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7

2008-03-26 19:47 . 2008-03-26 19:47 <DIR> d-------- C:\Program Files\Alwil Software

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-28 13:55 --------- d-----w C:\Program Files\Windows Live

2008-03-27 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-25 19:37 --------- d-----w C:\Program Files\Windows Live Toolbar

2008-03-22 14:59 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\LimeWirePlus

2008-03-10 20:41 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\DivX

2008-02-27 11:26 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2008-02-26 14:23 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-02-23 15:03 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\PC Suite

2008-02-21 11:37 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\Nokia

2008-02-20 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite

2008-02-20 11:37 --------- d-----w C:\Program Files\Nokia

2008-02-20 11:37 --------- d-----w C:\Program Files\DIFX

2008-02-20 11:37 --------- d-----w C:\Program Files\Common Files\PCSuite

2008-02-20 11:37 --------- d-----w C:\Program Files\Common Files\Nokia

2008-02-20 11:36 --------- d-----w C:\Program Files\PC Connectivity Solution

2008-02-20 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations

2008-02-13 19:46 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\LG Electronics

2008-02-13 17:46 --------- d-----w C:\Program Files\DivX

2008-02-13 17:44 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-13 17:44 --------- d-----w C:\Program Files\LG Electronics

2008-02-13 17:43 --------- d-----w C:\Program Files\LG PC Suite 2

2008-02-13 17:41 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\InstallShield

2008-02-13 17:39 --------- d-----w C:\Program Files\Packard Bell GPS

2008-01-29 18:41 --------- d-----w C:\Documents and Settings\Beheerder\Application Data\Qtrax1

2008-01-29 18:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\SongbirdVLC

2008-01-11 05:52 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll

.

((((((((((((((((((((((((((((( snapshot@2008-03-27_19.07.19.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-07-11 08:41:36 345,656 ----a-w C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll

+ 2008-03-28 02:48:45 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2008-03-28 14:20:15 4,268,032 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat

+ 2008-03-28 14:20:15 110,592 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

- 2008-03-27 16:30:22 29,926 ----a-r C:\WINDOWS\Installer\{A0C978B8-B82B-4FAD-8C31-EBEE8E57468A}\MsblIco.Exe

+ 2008-03-27 21:42:03 29,926 ----a-r C:\WINDOWS\Installer\{A0C978B8-B82B-4FAD-8C31-EBEE8E57468A}\MsblIco.Exe

- 2008-03-25 20:19:24 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-03-28 11:57:11 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-03-25 20:19:24 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat

+ 2008-03-28 11:57:11 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat

- 2008-03-25 20:19:24 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-03-28 11:57:11 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]

2007-11-08 12:11 1502232 --a------ C:\Program Files\LimewirePlus\tbLime.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{47E161A0-F4BA-41DD-A17B-D2EB26AD6A02}"= "C:\Program Files\LimewirePlus\tbLime.dll" [2007-11-08 12:11 1502232]

[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{47E161A0-F4BA-41DD-A17B-D2EB26AD6A02}"= C:\Program Files\LimewirePlus\tbLime.dll [2007-11-08 12:11 1502232]

[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 02:10 442368]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00 15360]

"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-27 19:25 1211176]

"IBM RecordNow!"="" []

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 11:17 110592]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 11:17 512000]

"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 18:39 897024]

"TpShocks"="TpShocks.exe" [2005-04-05 15:14 106496 C:\WINDOWS\system32\TpShocks.exe]

"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 12:43 94208]

"ControlCenter"="C:\Program Files\IBM fingerprint software\ctlcntr.exe" [2005-04-12 16:34 286821]

"TP4EX"="tp4ex.exe" [2004-11-12 01:07 40960 C:\WINDOWS\system32\TP4EX.exe]

"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 02:11 217088]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 07:27 860160]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-10 21:05 344064]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 01:05 127035]

"ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 02:10 442368]

"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-27 09:53 90112]

"QCTRAY"="C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 03:07 745472]

"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 03:07 86016]

"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 01:01 139264]

"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 01:01 208896]

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]

"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]

"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-03-26 20:42 352768]

"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-03-26 20:42 272896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 16:00 15360]

"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-03-26 20:42 151552]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2005-05-24 22:41:58 565309]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-10 03:14:03 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

C:\Program Files\IBM fingerprint software\psfus.dll 2005-04-12 16:39 110179 C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]

QConGina.dll 2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

tphklock.dll 2004-08-12 20:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=

"C:\\StubInstaller.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"C:\\Program Files\\LimeWire Plus\\LimeWire.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\DOCUME~1\\BEHEER~1\\LOCALS~1\\Temp\\ebquéé£'£'%''msn'è%'fix''.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-01-14 12:20]

R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 16:14]

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 03:07]

R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 03:07]

R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 12:59]

R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-04-14 01:01]

R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2005-04-27 10:27]

R2 SmiHlp;SMI helper driver;C:\Program Files\IBM fingerprint software\smihlp.sys [2005-04-12 16:31]

R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-04-12 16:41]

R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 15:54]

R3 TPM11;NSC Integrated Trusted Platform Module 1.1;C:\WINDOWS\system32\DRIVERS\nsctpm11.sys [2005-04-21 16:44]

S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 03:07]

S3 USRSp50;USRSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\USRSp50.sys [2004-09-07 14:42]

.

Inhoud van de 'Gedeelde Taken' map

"2008-03-28 15:02:38 C:\WINDOWS\Tasks\PMTask.job"

- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-28 17:01:39

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

? [288]

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\tphklock.dll

.

Voltooingstijd: 2008-03-28 17:02:43

ComboFix-quarantined-files.txt 2008-03-28 16:02:27

ComboFix2.txt 2008-03-28 14:54:55

ComboFix3.txt 2008-03-27 21:06:51

ComboFix4.txt 2008-03-27 19:07:56

ComboFix5.txt 2008-03-27 18:07:49

Pre-Run: 36,018,671,616 bytes beschikbaar

Post-Run: 36,009,762,816 bytes beschikbaar

.

2008-03-20 12:04:18 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:08:08, on 28/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\wcescomm.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

R3 - URLSearchHook: LimewirePlus Toolbar - {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\BEHEER~1\LOCALS~1\Temp\ebquéé£'£'%''msn'è%'fix''.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: LimewirePlus Toolbar - {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: LimewirePlus Toolbar - {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll

O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\system32\adsubtb.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

O4 - HKLM\..\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\BEHEER~1\LOCALS~1\Temp\ebquéé£'£'%''msn'è%'fix''.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: AdSubtract.lnk = C:\Program Files\interMute\AdSubtract\AdSub.exe

O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360

O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361

O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ThinkPad-software bijwerken - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game03.zylom.com/activex/zylomgamesplayer.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--

End of file - 12751 bytes

kape · 28 maart 2008

We komen steeds korter bij de eindmeet, maar er is 1 (erg vreemd) bestand dat moeilijk blijft doen en dat verwijderd zou moeten kunnen worden.

Kijk eens of je manueel dit kan terugvinden en verwijderen via Windows Verkenner : C:\\DOCUME~1\\BEHEER~1\\LOCALS~1\\Temp\\ebqué é£'£ '%''msn'è%'fix''.exe

Lukt dit niet dan moet je volgende zaken eens proberen :

Download en unzip Killbox naar je bureaublad.

In het veld "Full Path of File to Delete" kopieer en plak je bovenstaand bestand.

Klik op de knop: Delete on Reboot

Klik op de knop: single file

Klik daarna op de rode cirkel met het wit kruisje erin.

Killbox zal zeggen dat deze file zal verwijderd worden on reboot.. vraagt om nu te rebooten. Klik YES.

Je pc zal nu herstarten.

Is het bestand verwijderd, dan is het OK en maak je opnieuw een log van HJT. Is het nog niet weg, dan porbeer je met het volgende :

Download KillAFile

Dubbelklik op KillAFile.exe en installeer dit op je bureaublad.

Er wordt een map gemaakt KillAFile.

Open deze map en dubbelklik op kill.bat

Kies in het menu voor “Delete a file on reboot”.

Geef het volledige pad en de bestandsnaam in van het bestand dat moet worden verwijderd.

Indien het bestand bestaat krijg je een melding om alle open vensters te sluiten en zodat de computer kan rebooten. Druk op een toets om verder te gaan en dan zal de computer herstarten.

En ook daarna een nieuw log van HJT als het mocht gelukt zijn.

nele · 28 maart 2008

Lukt niet met ze alle 3 kan dat? via verkenner krijg ik foutmelding dat het niet verwijderd kan worden omdat het door iemand of een ander programma in gebruik is, maar staat niets anders open , en met de andere twee vonden ze niet, staat al verborgen map in verkenner .

nele · 28 maart 2008

bij killbox krijg ik op het laatste foutmelding : PendingFileRenameOperationsRegistryDatahasbeenremovedbyexternalProcess

en bij het derde ganse tijd try again, maar volgens mij is de bestandsnaam helemaal juist

kape · 28 maart 2008

Kan je mij de volledige naam eens geven zoals jij hem op je PC terugvindt ? En een nieuw logje van HJT ?

nele · 28 maart 2008

C:/Documents and Settings/beheerder/Local Settings/Temp/ebquéé£'£'%''msn'è%'fix''.exe

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:31:09, on 28/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Common Files\Virtual Token\vtserver.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\wcescomm.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Internet Explorer\iexplore.exe