[OPGELOST] antivirus 360

[kape]

Blijkbaar heb je dan een probleem met je .exe-bestanden :s

Probeer eens een aantal andere programma's met .exe-files uit. Als die allemaal niet opstarten zit je met een flink probleem ?

[philbuy]

Dit is gelukt. Hij is de recovery console aan het installeren.

Combofix heeft de aanwezigheid van rootkit activiteit vastgesteld.

[philbuy]

combofix heeft alles afgewerkt. Schijfcontrole werkt weer en defragmentatie ook.

Alvast hartelijk dank voor je snelle reactie en dan nog op een zondag. Bedankt.

Hieronder vind je het logbestand van combofix en eveneens van hijackthis.

ComboFix 09-03-19.02 - tony 2009-03-22 18:33:23.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.503.228 [GMT 1:00]

Gestart vanuit: c:\documents and settings\tony\Bureaublad\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\salesmonitor

c:\documents and settings\tony\Application Data\Antivirus2008y

c:\documents and settings\tony\ResErrors.log

c:\program files\Common Files\System\Uninstall

c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk

c:\program files\dbar

c:\program files\FunWebProducts

c:\program files\MyWebSearch

c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

c:\program files\PCPrivacyCleaner

c:\program files\VirusRemover2008

c:\program files\winvi

c:\program files\winvi\dsktp\AC_RunActiveContent.js

c:\program files\winvi\dsktp\desktop.html

c:\program files\winvi\dsktp\internetDetection.swf

c:\program files\winvi\dsktp\settings.sol

c:\program files\winvi\icons\bufferthis.ico

c:\program files\winvi\icons\flashfunpages.ico

c:\program files\winvi\icons\funnies.ico

c:\program files\winvi\icons\funnyfunpages.ico

c:\program files\winvi\icons\goodcleanvideos.ico

c:\program files\winvi\icons\newfunpages.ico

c:\program files\winvi\icons\positivethoughts.ico

c:\program files\winvi\icons\removespyware.ico

c:\program files\winvi\icons\thissiterocks.ico

c:\program files\winvi\temp\version.ini

c:\program files\winvi\version.ini

c:\windows\jestertb.dll

c:\windows\system32\drivers\UACamyqvpxu.sys

c:\windows\system32\UACblmluiyu.log

c:\windows\system32\UACcpboexwn.dll

c:\windows\system32\UACflbonipp.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACirftobig.dll

c:\windows\system32\UACopykrwai.dll

c:\windows\system32\UACqpenittw.log

c:\windows\system32\UACrebqafqx.log

c:\windows\system32\UACsiemuedi.dll

c:\windows\system32\UACsklyfvnk.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_FMTR

(((((((((((((((((((( Bestanden Gemaakt van 2009-02-22 to 2009-03-22 ))))))))))))))))))))))))))))))

.

2009-03-22 18:19 . 2005-10-26 16:12 <DIR> d--h----- c:\documents and settings\Administrator.TONYC\Sjablonen

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr-h----- c:\documents and settings\Administrator.TONYC\Onlangs geopend

2009-03-22 18:19 . 2005-10-26 18:05 <DIR> d--h----- c:\documents and settings\Administrator.TONYC\Netwerkprinteromgeving

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Mijn documenten

2009-03-22 18:19 . 2005-10-26 18:05 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Menu Start

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Favorieten

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> d-------- c:\documents and settings\Administrator.TONYC\Bureaublad

2009-03-22 18:19 . 2009-03-22 18:20 <DIR> d-------- c:\documents and settings\Administrator.TONYC\Application Data\AVGTOOLBAR

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> d-------- c:\documents and settings\Administrator.TONYC

2009-03-22 16:52 . 2009-03-22 16:52 <DIR> d-------- c:\program files\CCleaner

2009-03-22 16:52 . 2009-03-22 16:52 <DIR> dr-h----- c:\documents and settings\tony\Onlangs geopend

2009-03-21 10:02 . 2009-03-22 12:23 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-21 09:51 . 2009-03-22 08:40 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-21 09:51 . 2009-03-21 09:51 <DIR> d-------- c:\program files\AVG

2009-03-21 09:51 . 2009-03-21 09:59 <DIR> d-------- c:\documents and settings\tony\Application Data\AVGTOOLBAR

2009-03-21 09:51 . 2009-03-22 08:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-21 09:51 . 2009-03-21 09:51 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-21 09:51 . 2009-03-21 09:51 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-21 09:51 . 2009-03-21 09:51 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-13 18:30 . 2009-03-13 18:30 118 --a------ c:\windows\system32\MRT.INI

2009-03-08 14:00 . 2009-03-08 14:00 0 --a------ c:\windows\system32\nfr.assembly

2009-03-06 17:54 . 2009-03-08 13:59 <DIR> d-------- c:\windows\system32\887164

2009-03-06 17:54 . 2009-03-08 14:01 23,040 ---h----- c:\windows\nl10.exe

2009-03-06 17:54 . 2009-03-06 17:54 1 ---h----- c:\windows\t55ft2799f44.dat

2009-03-06 17:54 . 2009-03-06 17:54 1 --a------ c:\windows\9gdfgjf23

2009-03-04 11:14 . 2009-03-04 11:14 1 ---h----- c:\windows\t55ft3223f44.dat

2009-03-04 11:14 . 2009-03-04 11:14 1 ---h----- c:\windows\t55ft2807f44.dat

2009-02-26 16:48 . 2009-02-26 16:48 0 --a------ c:\windows\nfr.assembly

2009-02-26 16:02 . 2009-02-26 16:02 1 ---h----- c:\windows\t55ft3949f44.dat

2009-02-26 16:02 . 2009-02-26 16:02 1 ---h----- c:\windows\t55ft3533f44.dat

2009-02-25 11:10 . 2009-02-25 11:10 1 ---h----- c:\windows\t55ft3928f44.dat

2009-02-25 11:10 . 2009-02-25 11:10 1 ---h----- c:\windows\t55ft3532f44.dat

2009-02-22 13:50 . 2009-02-27 17:19 <DIR> d-------- c:\program files\Netlog Uploader

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-22 11:23 --------- d-----w c:\program files\Common Files\SchijfBewaker

2009-03-21 17:16 374 ----a-w c:\documents and settings\tony\Application Data\internaldb6334.dat

2009-03-21 17:05 18,432 ----a-w c:\documents and settings\tony\Application Data\internaldb41.dat

2009-03-21 16:47 555 ----a-w c:\documents and settings\tony\Application Data\internaldb8467.dat

2009-03-21 16:34 --------- d-----w c:\program files\SchijfBewaker

2009-03-08 13:06 --------- d-----w c:\program files\Windows Live

2009-02-27 16:29 --------- d-----w c:\program files\Windows Live Toolbar

2009-02-19 19:31 --------- d-----w c:\program files\Common Files\Adobe

2009-02-19 19:20 --------- d-----w c:\program files\Bonjour

2009-02-19 19:13 --------- d-----w c:\program files\Common Files\Macrovision Shared

2009-02-19 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-02-11 14:23 --------- d-----w c:\documents and settings\tony\Application Data\U3

2009-02-11 14:03 --------- d-----w c:\program files\Google

2009-01-18 11:49 44,814,336 ----a-w C:\Photoshop.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1932568]

"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 103712]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-07-01 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]

"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

enhanced keyboard driver.lnk - c:\program files\EnhanceKeyboard\kb_2k.exe [2005-10-29 221184]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-10-29 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-21 09:51 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:dll32

"7070:TCP"= 7070:TCP:nfr

"7171:TCP"= 7171:TCP:dll32

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-21 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-21 107912]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]

R3 ipgd;IC Plus IP1000 Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\ipgdnd51.sys [2005-10-26 33792]

S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2001-09-07 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nfrsvc REG_MULTI_SZ NFRAgent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a40fa16-d587-11dc-96fb-00508d7e3c1c}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a40fa23-d587-11dc-96fb-00508d7e3c1c}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a84950-b0a7-11dd-97c0-00508d7e3c1c}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

2009-02-19 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-22 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

.

- - - - ORPHANS VERWIJDERD - - - -

BHO-{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - c:\windows\system32\WinNB58.dll

WebBrowser-{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - c:\windows\system32\WinNB58.dll

HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

HKLM-Run-Salestart(1) - c:\program files\Common Files\VeiligheidsAgent\stmon.exe

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

mWindow Title = Telenet Internet

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Koppelingdoel converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Koppelingdoel converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Selectie converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

Trusted Zone: mirarsearch.com\click

Trusted Zone: mirarsearch.com\redirect

DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/CursorManiaFWBInitialSetup1.0.1.0.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-22 18:39:40

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Voltooingstijd: 2009-03-22 18:42:08 - machine werd herstart

ComboFix-quarantined-files.txt 2009-03-22 17:42:04

Pre-Run: 104,399,069,184 bytes beschikbaar

Post-Run: 105,145,389,056 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

234 --- E O F --- 2009-03-13 17:30:48

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:43:56, on 22/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\EnhanceKeyboard\kb_2k.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\tony\Bureaublad\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: enhanced keyboard driver.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/CursorManiaFWBInitialSetup1.0.1.0.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--

End of file - 7297 bytes

[kape]

Start Hijackthis op. Ben je gebruiker van Vista kies dan voor “Run as administrator" of "Uitvoeren als administrator". Selecteer “Do a system scan only”. Selecteer alleen de items die hieronder zijn genoemd:

O4 - HKLM\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab

Klik op 'Fix checked' om de items te verwijderen.

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\nl10.exe

c:\windows\system32\nfr.assembly

c:\windows\t55ft2799f44.dat

c:\windows\t55ft3223f44.dat

c:\windows\t55ft2807f44.dat

c:\windows\nfr.assembly

c:\windows\t55ft3949f44.dat

c:\windows\t55ft3533f44.dat

c:\windows\t55ft3928f44.dat

c:\windows\t55ft3532f44.dat

c:\windows\Tasks\OGADaily.job

c:\windows\system32\OGAVerify.exe

c:\windows\Tasks\OGALogon.job

Folder::

c:\windows\system32\887164

c:\windows\9gdfgjf23

c:\program files\Common Files\SchijfBewaker

c:\program files\SchijfBewaker

c:\program files\Macrogaming\SweetIM

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SweetIM"=-

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

[philbuy]

Uitgevoerd zoals beschreven.

Hieronder de logs.

ComboFix 09-03-19.02 - tony 2009-03-22 19:22:44.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.503.131 [GMT 1:00]

Gestart vanuit: c:\documents and settings\tony\Bureaublad\Combo-Fix.exe

gebruikte Opdracht switches :: c:\documents and settings\tony\Bureaublad\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

* Nieuw herstelpunt werd aangemaakt

FILE ::

c:\windows\nfr.assembly

c:\windows\nl10.exe

c:\windows\system32\nfr.assembly

c:\windows\system32\OGAVerify.exe

c:\windows\t55ft2799f44.dat

c:\windows\t55ft2807f44.dat

c:\windows\t55ft3223f44.dat

c:\windows\t55ft3532f44.dat

c:\windows\t55ft3533f44.dat

c:\windows\t55ft3928f44.dat

c:\windows\t55ft3949f44.dat

c:\windows\Tasks\OGADaily.job

c:\windows\Tasks\OGALogon.job

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\SchijfBewaker

c:\program files\Macrogaming\SweetIM

c:\program files\Macrogaming\SweetIM\conf\adapter.xml

c:\program files\Macrogaming\SweetIM\conf\autoupdate.xml

c:\program files\Macrogaming\SweetIM\conf\logger.xml

c:\program files\Macrogaming\SweetIM\conf\messages.xml

c:\program files\Macrogaming\SweetIM\conf\sweetim.xml

c:\program files\Macrogaming\SweetIM\conf\sweetimapp.xml

c:\program files\Macrogaming\SweetIM\conf\users\main_user_config.xml

c:\program files\Macrogaming\SweetIM\conf\users\solenneke@hotmail.com\emoticons_shortcut.xml

c:\program files\Macrogaming\SweetIM\conf\users\solenneke@hotmail.com\lastuse_Audibles.xml

c:\program files\Macrogaming\SweetIM\conf\users\solenneke@hotmail.com\lastuse_Emoticons.xml

c:\program files\Macrogaming\SweetIM\conf\users\solenneke@hotmail.com\lastuse_Winks.xml

c:\program files\Macrogaming\SweetIM\conf\users\solenneke@hotmail.com\user_config.xml

c:\program files\Macrogaming\SweetIM\data\contentdb\0001081A.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00010859.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00010893.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00010896.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0001089B.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108A9.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108AA.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108AD.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108BE.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108C2.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108DD.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108F1.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108F4.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108FD.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000108FF.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0001091C.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0001092C.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00010937.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00010954.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0002006A.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0002006C.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0002006D.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020071.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020075.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020077.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000200C0.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000200F1.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020114.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020121.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020158.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020185.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000201DA.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000201DC.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000201F6.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020201.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020226.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00020239.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000202ED.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0002031D.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00030063.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00030098.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00030099.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0003009A.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000300A1.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0004002B.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\000400C4.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00050005.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00080020.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00080024.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00080046.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\00080057.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\0008006E.dat

c:\program files\Macrogaming\SweetIM\data\contentdb\cache_indx.dat

c:\program files\Macrogaming\SweetIM\default.xml

c:\program files\Macrogaming\SweetIM\mgAdaptersProxy.dll

c:\program files\Macrogaming\SweetIM\mgAIMAuto.dll

c:\program files\Macrogaming\SweetIM\mgAIMMessengerAdapter.dll

c:\program files\Macrogaming\SweetIM\mgArchive.dll

c:\program files\Macrogaming\SweetIM\mgcommon.dll

c:\program files\Macrogaming\SweetIM\mgcommunication.dll

c:\program files\Macrogaming\SweetIM\mgconfig.dll

c:\program files\Macrogaming\SweetIM\mgFlashPlayer.dll

c:\program files\Macrogaming\SweetIM\mghooking.dll

c:\program files\Macrogaming\SweetIM\mgIEPlayer.dll

c:\program files\Macrogaming\SweetIM\mglogger.dll

c:\program files\Macrogaming\SweetIM\mgMediaPlayer.dll

c:\program files\Macrogaming\SweetIM\mgMsnAuto.dll

c:\program files\Macrogaming\SweetIM\mgMsnMessengerAdapter.dll

c:\program files\Macrogaming\SweetIM\mgSweetIM.dll

c:\program files\Macrogaming\SweetIM\mgUpdateSupport.dll

c:\program files\Macrogaming\SweetIM\mgxml_wrapper.dll

c:\program files\Macrogaming\SweetIM\mgYahooAuto.dll

c:\program files\Macrogaming\SweetIM\mgYahooMessengerAdapter.dll

c:\program files\Macrogaming\SweetIM\msvcp71.dll

c:\program files\Macrogaming\SweetIM\msvcr71.dll

c:\program files\Macrogaming\SweetIM\resources\images\AudibleButton.png

c:\program files\Macrogaming\SweetIM\resources\images\DisplayPicturesButton.png

c:\program files\Macrogaming\SweetIM\resources\images\EmoticonButton.png

c:\program files\Macrogaming\SweetIM\resources\images\NudgeButton.png

c:\program files\Macrogaming\SweetIM\resources\images\SoundFxButton.png

c:\program files\Macrogaming\SweetIM\resources\images\WinksButton.png

c:\program files\Macrogaming\SweetIM\SweetIM.exe

c:\program files\SchijfBewaker

c:\windows\9gdfgjf23\

c:\windows\nfr.assembly

c:\windows\nl10.exe

c:\windows\system32\887164

c:\windows\system32\nfr.assembly

c:\windows\system32\OGAVerify.exe

c:\windows\t55ft2799f44.dat

c:\windows\t55ft2807f44.dat

c:\windows\t55ft3223f44.dat

c:\windows\t55ft3532f44.dat

c:\windows\t55ft3533f44.dat

c:\windows\t55ft3928f44.dat

c:\windows\t55ft3949f44.dat

c:\windows\Tasks\OGADaily.job

c:\windows\Tasks\OGALogon.job

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-02-22 to 2009-03-22 ))))))))))))))))))))))))))))))

.

2009-03-22 18:19 . 2005-10-26 16:12 <DIR> d--h----- c:\documents and settings\Administrator.TONYC\Sjablonen

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr-h----- c:\documents and settings\Administrator.TONYC\Onlangs geopend

2009-03-22 18:19 . 2005-10-26 18:05 <DIR> d--h----- c:\documents and settings\Administrator.TONYC\Netwerkprinteromgeving

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Mijn documenten

2009-03-22 18:19 . 2005-10-26 18:05 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Menu Start

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> dr------- c:\documents and settings\Administrator.TONYC\Favorieten

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> d-------- c:\documents and settings\Administrator.TONYC\Bureaublad

2009-03-22 18:19 . 2009-03-22 18:20 <DIR> d-------- c:\documents and settings\Administrator.TONYC\Application Data\AVGTOOLBAR

2009-03-22 18:19 . 2009-03-22 18:19 <DIR> d-------- c:\documents and settings\Administrator.TONYC

2009-03-22 16:52 . 2009-03-22 16:52 <DIR> d-------- c:\program files\CCleaner

2009-03-22 16:52 . 2009-03-22 18:44 <DIR> dr-h----- c:\documents and settings\tony\Onlangs geopend

2009-03-21 10:02 . 2009-03-22 12:23 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-21 09:51 . 2009-03-22 08:40 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-21 09:51 . 2009-03-21 09:51 <DIR> d-------- c:\program files\AVG

2009-03-21 09:51 . 2009-03-21 09:59 <DIR> d-------- c:\documents and settings\tony\Application Data\AVGTOOLBAR

2009-03-21 09:51 . 2009-03-22 08:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-21 09:51 . 2009-03-21 09:51 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-21 09:51 . 2009-03-21 09:51 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-21 09:51 . 2009-03-21 09:51 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-13 18:30 . 2009-03-13 18:30 118 --a------ c:\windows\system32\MRT.INI

2009-03-06 17:54 . 2009-03-06 17:54 1 --a------ c:\windows\9gdfgjf23

2009-02-22 13:50 . 2009-02-27 17:19 <DIR> d-------- c:\program files\Netlog Uploader

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-22 18:23 --------- d-----w c:\program files\Macrogaming

2009-03-21 17:16 374 ----a-w c:\documents and settings\tony\Application Data\internaldb6334.dat

2009-03-21 17:05 18,432 ----a-w c:\documents and settings\tony\Application Data\internaldb41.dat

2009-03-21 16:47 555 ----a-w c:\documents and settings\tony\Application Data\internaldb8467.dat

2009-03-08 13:06 --------- d-----w c:\program files\Windows Live

2009-02-27 16:29 --------- d-----w c:\program files\Windows Live Toolbar

2009-02-19 19:31 --------- d-----w c:\program files\Common Files\Adobe

2009-02-19 19:20 --------- d-----w c:\program files\Bonjour

2009-02-19 19:13 --------- d-----w c:\program files\Common Files\Macrovision Shared

2009-02-19 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2009-02-11 14:23 --------- d-----w c:\documents and settings\tony\Application Data\U3

2009-02-11 14:03 --------- d-----w c:\program files\Google

2009-02-09 14:08 1,846,912 ----a-w c:\windows\system32\win32k.sys

2009-01-18 11:49 44,814,336 ----a-w C:\Photoshop.exe

2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr

2008-12-31 16:04 691,560 ----a-w c:\windows\system32\OGACheckControl.dll

2008-12-31 16:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-21 1932568]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-07-01 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-07-01 118784]

"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

enhanced keyboard driver.lnk - c:\program files\EnhanceKeyboard\kb_2k.exe [2005-10-29 221184]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-10-29 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-21 09:51 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"80:TCP"= 80:TCP:dll32

"7070:TCP"= 7070:TCP:nfr

"7171:TCP"= 7171:TCP:dll32

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-21 325640]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-21 107912]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-21 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-21 298264]

R3 ipgd;IC Plus IP1000 Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\ipgdnd51.sys [2005-10-26 33792]

S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [2001-09-07 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nfrsvc REG_MULTI_SZ NFRAgent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a40fa16-d587-11dc-96fb-00508d7e3c1c}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a40fa23-d587-11dc-96fb-00508d7e3c1c}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2a84950-b0a7-11dd-97c0-00508d7e3c1c}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

mWindow Title = Telenet Internet

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=localhost:7171

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Koppelingdoel converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Koppelingdoel converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Selectie converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

Trusted Zone: mirarsearch.com\click

Trusted Zone: mirarsearch.com\redirect

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-22 19:24:19

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

Voltooingstijd: 2009-03-22 19:25:29

ComboFix-quarantined-files.txt 2009-03-22 18:25:27

ComboFix2.txt 2009-03-22 17:42:10

Pre-Run: 105.137.651.712 bytes beschikbaar

Post-Run: 105,122,361,344 bytes beschikbaar

280 --- E O F --- 2009-03-13 17:30:48

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:26:18, on 22/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\EnhanceKeyboard\kb_2k.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\tony\Bureaublad\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: enhanced keyboard driver.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--

End of file - 6953 bytes

[kape]

Dat was een behoorlijke besmetting :s Maar we lopen naar het einde

Verwijder nog volgende vetgedrukte map

c:\windows\9gdfgjf23

En dan kan je aan de opruiming van de resten van de besmetting beginnen :

Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u

Dit zal Combofix verwijderen + gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en maakt een nieuw herstelpunt.

Download CCleaner.

Installeer het en start CCleaner op. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen. Doe dit via Start -> Configuratiescherm -> Systeem -> Systeemherstel -> "Systeemherstel op alle stations uitschakelen" aanvinken. Toepassen en OK. PC herstarten en het vinkje terug weg halen.

That's it !