Ga naar inhoud

Aanbevolen berichten

Geplaatst:

Beste,

Net als Jesse (22/3) - geholpen door Kape - heb ik ook sinds gisteren problemen met anti-spyware / virussen, zoals in elk geval WML.exe, winlogonhook, en trojans.

De gebruikelijke anti-spyware pgms werken niet voldoende goed (A2, Spysweep, AVG) en het is mij ook een raadsel hoe het mijn panda voorbij is gekomen.

Kan iemand mij helpen ?

Jan

Geplaatst:

Logfile of HijackThis v1.99.1

Scan saved at 21:19:24, on 30-Mar-08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

D:\Panda\pavsrv51.exe

D:\Panda\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

D:\Panda\TPSrv.exe

C:\WINDOWS\system32\spoolsv.exe

d:\anti-spyware\a2 free\a2service.exe

D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

D:\Panda\PsCtrls.exe

D:\Panda\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

d:\panda\firewall\PSHOST.EXE

D:\Panda\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\fxssvc.exe

D:\Panda\ApvxdWin.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

C:\WINDOWS\system32\iizsylbg.exe

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

C:\Microsoft Office 2000\Office\1033\msoffice.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\taskmgr.exe

D:\Panda\WebProxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Microsoft Office 2000\Office\WINWORD.EXE

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

D:\Anti-Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Anti-Spyware\Spybot\SDHelper.dll

O2 - BHO: (no name) - {6A085CB6-F3F1-21CC-8F02-0A1B5B292914} - C:\WINDOWS\system32\ingawqpp.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [iizsylbg] C:\WINDOWS\system32\iizsylbg.exe

O4 - HKLM\..\Run: [gbmzwfqj] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201816543913

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll

O20 - Winlogon Notify: winpto32 - C:\WINDOWS\SYSTEM32\winpto32.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - d:\anti-spyware\a2 free\a2service.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Software Controller - Panda Software International - D:\Panda\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Panda\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Panda\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\panda\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Panda\PsImSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Panda\TPSrv.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Geplaatst:

Download VundoFix naar je bureaublad.

Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

O2 - BHO: (no name) - {6A085CB6-F3F1-21CC-8F02-0A1B5B292914} - C:\WINDOWS\system32\ingawqpp.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [iizsylbg] C:\WINDOWS\system32\iizsylbg.exe

O4 - HKLM\..\Run: [gbmzwfqj] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 –k

O20 - Winlogon Notify: winpto32 - C:\WINDOWS\SYSTEM32\winpto32.dll

Klik op 'Fix checked' om de items te verwijderen.

Dubbelklik VundoFix.exe om het te starten.

[*]Klik op de Scan for Vundo knop.

[*]Eenmaal gedaan met scannen, klik op de Remove Vundo knop.

[*]Je zal een melding krijgen of je de bestanden wilt laten verwijderen, klik YES

[*]Nadat je Yes hebt geklikt, zullen de icoontjes op je Bureaublad verdwijnen tijdens het verwijderen van Vundo.

[*]Wanneer voltooid zal je de melding krijgen dat het je PC zal afsluiten, klik OK.

[*]Start je pc terug opnieuw op.

Nota: Het is mogelijk dat VundoFix een bestand vindt dat niet kan verwijderd worden.

In dit geval zal VundoFix na het heropstarten van je pc nog eens opstarten. Dan moet je de instructies van hierboven nog eens uitvoeren vanaf: "Klik op Scan for Vundo."

Post de inhoud van C:\vundofix.txt en een nieuwe log van HJT in je volgende bericht.

Geplaatst:

Resultaten zijn:

VundoFix gaf geen "infections", dus log report is leeg.

Toen maar ComboFix gedraaid (wat je bij Jesse op 22/3 ook had aanbevolen) en de log hiervan is:

ComboFix 08-03-30.2 - Administrator 2008-03-30 23:01:07.2 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.376 [GMT 2:00]

Running from: G:\Software Downloads\Virus\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Jan-Edzard\Application Data\install.dat

C:\Documents and Settings\Jan-Edzard\Application Data\printer.exe

C:\Program Files\Common Files\{30F35~1

C:\Program Files\Common Files\{70F35~1

C:\WINDOWS\system32\winpto32.dll

.

---- Previous Run -------

.

C:\WINDOWS\appatc~1

C:\WINDOWS\system32\unsvchosts.lzma

.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))

.

2008-03-30 23:04 . 92,544 C:\WINDOWS\system32\drivers\av5flt.sys

2008-03-30 22:15 . 2008-03-30 22:15 <DIR> d-------- C:\VundoFix Backups

2008-03-30 20:47 . 2008-03-30 20:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-03-30 20:47 . 2008-03-30 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-03-30 01:13 . 2008-03-30 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-03-29 14:37 . 2008-03-29 14:42 <DIR> d-------- C:\Program Files\Windows Live

2008-03-29 14:37 . 2008-03-29 14:42 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-29 14:37 . 2008-03-29 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-29 14:36 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-03-29 14:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-03-29 14:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-03-29 14:36 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Program Files\Symantec

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

2008-03-29 10:21 . 2008-03-29 10:21 94,208 --a------ C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll

2008-03-29 10:21 . 2008-03-29 10:21 90,112 --a------ C:\WINDOWS\system32\iizsylbg.exe

2008-03-28 20:54 . 2008-03-28 20:54 24,576 --a------ C:\WINDOWS\system32\winzzr32.dll

2008-03-15 17:20 . 2008-03-15 17:20 77,312 --a------ C:\ROZ Woonruimte - Handleiding - okt 2005.doc

2008-03-01 11:46 . 2008-03-01 11:46 <DIR> d-------- C:\Program Files\Mindscape

2008-03-01 11:45 . 2008-03-01 11:45 272 --a------ C:\WINDOWS\_delis32.ini

2008-02-16 13:12 . 2008-02-16 13:12 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

28980-02-04 05:32 --------- d-----w C:\Program Files\microsoft frontpage

28980-02-04 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SBSI

2008-03-30 21:06 214,928 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck

2008-03-30 21:06 214,928 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT

2008-03-30 21:06 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck

2008-03-30 21:06 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG

2008-03-01 09:46 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2008-01-04 19:56 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll

2007-12-31 10:06 162 ----a-w C:\install.dat

2007-12-26 20:21 737,280 ----a-w C:\WINDOWS\iun6002.exe

2005-01-21 00:53 45,056 ------r C:\Program Files\SetAttrib.exe

2004-11-30 07:23 40,960 ------r C:\Program Files\delete.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 33280 C:\WINDOWS\system32\rundll32.exe]

"SoundMan"="SOUNDMAN.EXE" [2002-09-27 14:44 47104 C:\WINDOWS\SOUNDMAN.EXE]

"PRISMSVR.EXE"="C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.exe" [2004-07-02 16:27 295001]

"hcenter"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]

"APVXDWIN"="D:\Panda\APVXDWIN.exe" [2007-03-30 15:52 329264]

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Microsoft Office 2000\Office\OSA9.EXE [2000-01-21 10:15:54 65588]

SpeedTouch 121g Wireless USB Monitor.lnk - C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe [2004-09-23 18:36:30 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"DhGiivUbGS"= C:\WINDOWS\TEMP\win17.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoUserNameInStartMenu"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoStartMenuPinnedList"= 0 (0x0)

"ForceStartMenuLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2003-05-01 23:56 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2002-09-27 16:38 446464 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2004-12-27 11:57 98304 D:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SENS"=2 (0x2)

"RSVP"=3 (0x3)

"SysmonLog"=3 (0x3)

"mnmsrvc"=3 (0x3)

"CiSvc"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\WINDOWS\\explorer.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-04-02 19:43]

R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-04-02 19:43]

R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-03-12 17:45]

R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-04-02 19:43]

R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-03-22 18:12]

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-03-12 17:27]

R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-04-02 19:43]

R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-04-02 19:43]

R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2006-10-27 13:27]

R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-19 14:21]

R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []

R3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\BT4501G.sys [2004-07-29 13:55]

R3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []

R3 EL910;3Com 3CSOHO100B-TX PCI;C:\WINDOWS\system32\DRIVERS\EL910N51.sys [2002-05-29 08:54]

R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-02 19:43]

R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []

R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-03 00:05]

S3 A4S2600;A4S2600;C:\WINDOWS\system32\drivers\A4S2600.sys [1998-07-01 13:58]

*Newly Created Service* - PAVDRV

*Newly Created Service* - PAVSRV

.

Contents of the 'Scheduled Tasks' folder

"2008-03-29 23:00:00 C:\WINDOWS\Tasks\At1.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-24 08:00:00 C:\WINDOWS\Tasks\At10.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 08:00:00 C:\WINDOWS\Tasks\At11.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 09:00:03 C:\WINDOWS\Tasks\At12.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 10:00:00 C:\WINDOWS\Tasks\At13.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 11:00:00 C:\WINDOWS\Tasks\At14.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 12:00:00 C:\WINDOWS\Tasks\At15.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 13:00:00 C:\WINDOWS\Tasks\At16.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 14:00:00 C:\WINDOWS\Tasks\At17.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 15:00:02 C:\WINDOWS\Tasks\At18.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 16:00:00 C:\WINDOWS\Tasks\At19.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 00:00:00 C:\WINDOWS\Tasks\At2.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 18:00:00 C:\WINDOWS\Tasks\At20.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 19:00:00 C:\WINDOWS\Tasks\At21.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 19:00:00 C:\WINDOWS\Tasks\At22.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 21:00:00 C:\WINDOWS\Tasks\At23.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 22:00:00 C:\WINDOWS\Tasks\At24.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 01:00:00 C:\WINDOWS\Tasks\At3.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 02:00:00 C:\WINDOWS\Tasks\At4.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 03:00:00 C:\WINDOWS\Tasks\At5.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 04:00:00 C:\WINDOWS\Tasks\At6.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 05:00:00 C:\WINDOWS\Tasks\At7.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 06:00:00 C:\WINDOWS\Tasks\At8.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 07:00:00 C:\WINDOWS\Tasks\At9.job"

- C:\WINDOWS\system32\d0u418YA.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-30 23:05:16

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

D:\Panda\pavsrv51.exe

D:\Panda\AVENGINE.EXE

D:\Panda\TPSrv.exe

d:\anti-spyware\a2 free\a2service.exe

D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

D:\Panda\PsCtrls.exe

D:\Panda\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

d:\panda\firewall\PSHOST.EXE

D:\Panda\PsImSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Microsoft Office 2000\Office\1033\msoffice.exe

D:\Panda\WebProxy.exe

C:\WINDOWS\system32\taskmgr.exe

.

**************************************************************************

.

Completion time: 2008-03-30 23:15:28 - machine was rebooted [Jan-Edzard]

ComboFix-quarantined-files.txt 2008-03-30 21:15:20

Pre-Run: 8,278,962,176 bytes free

Post-Run: 8,012,132,352 bytes free

En de niuewe HiJackThis:

Logfile of HijackThis v1.99.1

Scan saved at 23:20:20, on 30-Mar-08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

D:\Panda\pavsrv51.exe

D:\Panda\AVENGINE.EXE

C:\WINDOWS\system32\svchost.exe

D:\Panda\TPSrv.exe

C:\WINDOWS\system32\spoolsv.exe

d:\anti-spyware\a2 free\a2service.exe

D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

D:\Panda\PsCtrls.exe

D:\Panda\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

d:\panda\firewall\PSHOST.EXE

D:\Panda\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\fxssvc.exe

D:\Panda\ApvxdWin.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

C:\Microsoft Office 2000\Office\1033\msoffice.exe

C:\WINDOWS\explorer.exe

D:\Panda\WebProxy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Anti-Spyware\Spybot\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201816543913

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - d:\anti-spyware\a2 free\a2service.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Software Controller - Panda Software International - D:\Panda\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Panda\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Panda\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\panda\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Panda\PsImSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Panda\TPSrv.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Is het nu denk je opgelost ? Of zie je nog vreemde dingen ?

Bij voorbaat dank !

Geplaatst:

Erg handig, je bent me al voor geweest door Combofix te laten runnen. Dat zou immers mijn volgende opdracht geworden zijn, na je blanco Vundofix. Zo sparen we weeral een extra berichtje uit.

Helemaal opgeruimd is je probleem echter nog niet. Dit moet je nog even uitvoeren :

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll

C:\WINDOWS\system32\iizsylbg.exe

C:\WINDOWS\_delis32.ini

Folder::

C:\VundoFix Backups

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht. En laat dan meteen eens weten of je nog opspringende meldingen van besmettingen krijgt ?

Geplaatst:

Het duurde even omdat Combofix kennelijk 2x vastliep. Nu wel gelukt.

Combofix log:

ComboFix 08-03-30.2 - Jan-Edzard 2008-04-01 9:15:16.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.179 [GMT 2:00]

Running from: G:\Software Downloads\Virus\ComboFix.exe

Command switches used :: G:\Software Downloads\Virus\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll

C:\WINDOWS\_delis32.ini

C:\WINDOWS\system32\iizsylbg.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Application Data\gbmzwfqj.dll

C:\VundoFix Backups

C:\WINDOWS\_delis32.ini

C:\WINDOWS\system32\iizsylbg.exe

.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))

.

2008-03-30 20:47 . 2008-03-30 20:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-03-30 20:47 . 2008-03-30 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-03-30 01:13 . 2008-03-30 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-03-29 14:37 . 2008-03-29 14:42 <DIR> d-------- C:\Program Files\Windows Live

2008-03-29 14:37 . 2008-03-29 14:42 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller

2008-03-29 14:37 . 2008-03-29 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-03-29 14:36 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui

2008-03-29 14:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui

2008-03-29 14:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-03-29 14:36 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Program Files\Symantec

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared

2008-03-29 14:08 . 2008-03-29 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

2008-03-28 20:54 . 2008-03-28 20:54 24,576 --a------ C:\WINDOWS\system32\winzzr32.dll

2008-03-15 17:20 . 2008-03-15 17:20 77,312 --a------ C:\ROZ Woonruimte - Handleiding - okt 2005.doc

2008-03-01 11:46 . 2008-03-01 11:46 <DIR> d-------- C:\Program Files\Mindscape

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

28980-02-04 05:32 --------- d-----w C:\Program Files\microsoft frontpage

28980-02-04 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SBSI

2008-03-31 19:26 214,928 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck

2008-03-31 19:26 214,928 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT

2008-03-31 19:26 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck

2008-03-31 19:26 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG

2008-03-01 09:46 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2008-02-16 11:12 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-01-04 19:56 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll

2005-01-21 00:53 45,056 ------r C:\Program Files\SetAttrib.exe

2004-11-30 07:23 40,960 ------r C:\Program Files\delete.exe

.

((((((((((((((((((((((((((((( snapshot@2008-03-30_23.13.57.75 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-03-30 20:33:59 59,268 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-03-31 19:30:07 59,268 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-03-30 20:33:59 393,638 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-03-31 19:30:07 393,638 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 33280 C:\WINDOWS\system32\rundll32.exe]

"SoundMan"="SOUNDMAN.EXE" [2002-09-27 14:44 47104 C:\WINDOWS\SOUNDMAN.EXE]

"PRISMSVR.EXE"="C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.exe" [2004-07-02 16:27 295001]

"hcenter"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]

"APVXDWIN"="D:\Panda\APVXDWIN.exe" [2007-03-30 15:52 329264]

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Microsoft Office 2000\Office\OSA9.EXE [2000-01-21 10:15:54 65588]

SpeedTouch 121g Wireless USB Monitor.lnk - C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe [2004-09-23 18:36:30 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"DhGiivUbGS"= C:\WINDOWS\TEMP\win17.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoUserNameInStartMenu"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoStartMenuPinnedList"= 0 (0x0)

"ForceStartMenuLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2003-05-01 23:56 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2002-09-27 16:38 446464 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2004-12-27 11:57 98304 D:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SENS"=2 (0x2)

"RSVP"=3 (0x3)

"SysmonLog"=3 (0x3)

"mnmsrvc"=3 (0x3)

"CiSvc"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\WINDOWS\\explorer.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-04-02 19:43]

R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-04-02 19:43]

R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-03-12 17:45]

R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-04-02 19:43]

R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-03-22 18:12]

R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-03-12 17:27]

R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-04-02 19:43]

R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-04-02 19:43]

R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2006-10-27 13:27]

R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-19 14:21]

R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []

R3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\BT4501G.sys [2004-07-29 13:55]

R3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []

R3 EL910;3Com 3CSOHO100B-TX PCI;C:\WINDOWS\system32\DRIVERS\EL910N51.sys [2002-05-29 08:54]

R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-02 19:43]

R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []

R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-03 00:05]

S3 A4S2600;A4S2600;C:\WINDOWS\system32\drivers\A4S2600.sys [1998-07-01 13:58]

*Newly Created Service* - CATCHME

*Newly Created Service* - PAVDRV

*Newly Created Service* - PAVSRV

.

Contents of the 'Scheduled Tasks' folder

"2008-03-29 23:00:00 C:\WINDOWS\Tasks\At1.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-24 08:00:00 C:\WINDOWS\Tasks\At10.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 08:00:00 C:\WINDOWS\Tasks\At11.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 09:00:03 C:\WINDOWS\Tasks\At12.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 10:00:00 C:\WINDOWS\Tasks\At13.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 11:00:00 C:\WINDOWS\Tasks\At14.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 12:00:00 C:\WINDOWS\Tasks\At15.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 13:00:00 C:\WINDOWS\Tasks\At16.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 14:00:00 C:\WINDOWS\Tasks\At17.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 15:00:02 C:\WINDOWS\Tasks\At18.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 16:00:00 C:\WINDOWS\Tasks\At19.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 00:00:00 C:\WINDOWS\Tasks\At2.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 18:00:00 C:\WINDOWS\Tasks\At20.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 19:00:00 C:\WINDOWS\Tasks\At21.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-30 19:00:00 C:\WINDOWS\Tasks\At22.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 21:00:00 C:\WINDOWS\Tasks\At23.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-29 22:00:00 C:\WINDOWS\Tasks\At24.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 01:00:00 C:\WINDOWS\Tasks\At3.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 02:00:00 C:\WINDOWS\Tasks\At4.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 03:00:00 C:\WINDOWS\Tasks\At5.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 04:00:00 C:\WINDOWS\Tasks\At6.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 05:00:00 C:\WINDOWS\Tasks\At7.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 06:00:00 C:\WINDOWS\Tasks\At8.job"

- C:\WINDOWS\system32\d0u418YA.exe

"2008-03-19 07:00:00 C:\WINDOWS\Tasks\At9.job"

- C:\WINDOWS\system32\d0u418YA.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-01 09:24:41

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-01 9:26:50

ComboFix-quarantined-files.txt 2008-04-01 07:26:42

ComboFix2.txt 2008-03-30 21:15:31

Pre-Run: 7,418,908,672 bytes free

Post-Run: 7,404,019,712 bytes free

En een nieuwe HJT:

Logfile of HijackThis v1.99.1

Scan saved at 9:36:59, on 01-Apr-08

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

D:\Panda\pavsrv51.exe

D:\Panda\AVENGINE.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

D:\Panda\TPSrv.exe

C:\WINDOWS\system32\spoolsv.exe

d:\anti-spyware\a2 free\a2service.exe

D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\nvsvc32.exe

D:\Panda\PsCtrls.exe

D:\Panda\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

d:\panda\firewall\PSHOST.EXE

D:\Panda\PsImSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\fxssvc.exe

D:\Panda\ApvxdWin.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

C:\Microsoft Office 2000\Office\1033\msoffice.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Panda\WebProxy.exe

C:\Program Files\MrSnappy95\snappy95.exe

D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Anti-Spyware\Spybot\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [APVXDWIN] "D:\Panda\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201816543913

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - d:\anti-spyware\a2 free\a2service.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Software Controller - Panda Software International - D:\Panda\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Panda\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Panda\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - d:\panda\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Panda\PsImSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - D:\Panda\TPSrv.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Systeem lijkt nu wel schoon in de zin dat ik geen rode popups en blauwe popups van SecurityAlert etc.(exact dezelfde als bij Jesse op 22/3) meer krijg, echter na de 1e schoonmaak kreeg ik nog wel vaak Panda-messages dat er blocks uitgevoerd worden omdat iets mijn registry .../searchURL, ..../provider, en ..../mainpage, etc. wil wijzigen.

Deze meldingen krijg ik ook nog nu, nadat ik dus de laatste keer ComboFix heb gerund, nu net nog bij de reboot. Dus 't lijkt erop dat alles vrij schoon is maar dat toch ook kennelijk dat mijn pc nog aangevallen wordt ?

Alvast bedankt voor de hulp !

Geplaatst:

Je PC is wel degelijk clean nu.

Het is niet ongewoon dat je PC permanent aangevallen wordt ... en Panda heeft het bovendien - nogal vaak - aan de stok met Combofix. Dat zou (mogelijk) ook één van de redenen kunnen zijn van een aantal foutmeldingen. We gaan dan ook Combofix laten verdwijnen.

Nu je problemen van de baan zijn, is het tijd voor de “grote schoonmaak” : verwijderen van gebruikte programma’s, een cleaning en het verwijderen van de besmette herstelpunten.

Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u

Combofix wordt verwijderd en een nieuw systeemherstelpunt wordt aangemaakt.

Verwijder VundoFix (indien nog aanwezig) via Windows verkenner.

Download CCleaner.

Installeer het en start het op. Klik in de linkse kolom op “Opties”. Selecteer het tabblad ‘Geavanceerd’ en haal het vinkje weg voor “Verwijder alleen tijdelijke bestanden in de Windows systeemmap die ouder zijn dan 48 uur” en sluit hierna het programma.

Start CCleaner op en klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scannen voor fouten’. Als er fouten gevonden worden klik je op ”alle fouten herstellen” en ”OK”. Sluit hierna CCleaner terug af.

Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen.

- Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.

- Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".

- Zet een vinkje voor "Systeemherstel uitschakelen".

- Klik "Toepassen".

- Windows vraagt of je dat zeker weet.

- Klik "Ja".

- Klik "OK".

- Start de pc opnieuw op.

- Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.

- Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"

- Klik "Ja".

- Verwijder het vinkje voor "Systeemherstel uitschakelen".

- Klik "Toepassen".

- Klik "OK".

- Start de pc opnieuw op

- Er is nu een nieuw herstelpunt aangemaakt.

That’s it !

Geplaatst:

Nog ff een voorbeeld van de Panda message (ik kan geen jpg's attachen) die ik nog krijg (en eerder vóór mijn problemen nooit kreeg):

Attempt to modify HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHURL\PROVIDER. Hierbij kies ik dan de optie "don't allow settings to be modified".

Ik zal de cleanup doen en je laten weten.

Geplaatst:

JPG's aan je bericht hangen, kan je door onderaan je bericht door de optie "beheer bijlagen" aan te klikken. In het volgende scherm kan je dan op zoek naar de JPG op je harde schijf en wordt dit als bijlage toegevoegd. Ben immers erg benieuwd naar wat die screenshots weten te vertellen.

Gast
Dit topic is nu gesloten voor nieuwe reacties.
×
×
  • Nieuwe aanmaken...

Belangrijke informatie

We hebben cookies geplaatst op je toestel om deze website voor jou beter te kunnen maken. Je kunt de cookie instellingen aanpassen, anders gaan we er van uit dat het goed is om verder te gaan.