[OPGELOST] trojans

[jantje02]

Kaspersky meldt dat er verschillende trojans zijn, ik heb gescand, ik weet niet of er succes is?

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:10:55, on 1-7-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Startup Faster\sfAgent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [startupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: StartupFaster

O4 - Global Startup: StartupFaster

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Toevoegen aan de Banner Ad Blokker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Statistieken bescherming internetverkeer - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - Windows Live OneCare ... se5483.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4729934546

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA ~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASP ER~1\kloehk.dll

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8243 bytes

[kape]

Krijg je nu nog Trojanmeldingen als je Kaspersky laat scannen ?

[jantje02]

Elke keer...

[kape]

Elke keer...

Kan je dan ook eens laten weten in welke mappen of bestanden Kaspersky deze Trojans kan vinden ?

[jantje02]

Ik heb een vergissing gemaakt, ik weet niet of het een trojan is, maar het is daadwerkelijk een virus.

Kan je me helpen, please?

[kape]

Ak is hier geen duidelijke aanwijzing over welk soort virus het zou gaan (en zijn alle getoonde bestanden vrij normale zaken), toch gaan we eens dieper kijken. Bovendien staat er bovenaan de pagina ANTI-SPAM : zou het hier niet om meldingen van SPAM gaan ipv om VIRUSSEN. Kan dit niet zo goed concluderen uit deze afbeelding.

Download Combofix naar je Bureaublad.

Lees hier meer over correct gebruik van Combofix.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.

Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

• Dubbelklik op Combofix.exe om het te starten.
  Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
  Volg de instructies, aanvaard de disclaimer door op Ja te klikken.
  Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het "Query - Recovery Console" venster (enkel voor XP, niet voor VISTA).
  Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
  Klik na afloop terug op Ja om het scannen op malware te starten.
  Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
  

Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.

[jantje02]

ComboFix 09-07-01.01 - Administrator 02-07-2009 8:54.9 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.503.187 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\mlfcache.dat

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-06-02 to 2009-07-02 ))))))))))))))))))))))))))))))

.

2009-07-02 06:34 . 2009-07-02 06:41 -------- d--h--r- c:\documents and settings\Administrator\Onlangs geopend

2009-06-27 09:53 . 2009-06-27 09:53 -------- d-----w- c:\documents and settings\Administrator\.jagex_cache_32

2009-06-27 08:03 . 2009-06-27 08:03 -------- d-----w- C:\.jagex_cache_32

2009-06-26 12:40 . 2009-06-26 12:40 34 ----a-w- c:\documents and settings\Naam\jagex_runescape_preferences.dat

2009-06-26 12:14 . 2009-02-13 08:13 -------- d--h--w- c:\documents and settings\Naam\Netwerkprinteromgeving

2009-06-26 12:14 . 2009-02-13 08:13 -------- d-----r- c:\documents and settings\Naam\Menu Start

2009-06-26 12:14 . 2009-02-13 07:17 -------- d--h--w- c:\documents and settings\Naam\Sjablonen

2009-06-25 05:40 . 2009-06-25 05:40 -------- d-sh--w- C:\found.002

2009-06-24 11:08 . 2009-06-24 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SwiftKit

2009-06-24 11:08 . 2009-06-27 08:43 -------- d-----w- c:\program files\SwiftKit

2009-06-22 12:21 . 2009-06-22 12:21 -------- d-sh--w- C:\found.001

2009-06-13 17:53 . 2009-06-13 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2009-06-11 15:32 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-06-11 15:32 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-02 07:04 . 2009-02-14 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-07-02 07:04 . 2009-02-28 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-02 07:01 . 2009-03-15 11:36 679968 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-07-02 07:01 . 2009-03-15 11:36 4452 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-07-02 07:01 . 2009-03-15 11:36 2999840 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-07-02 07:01 . 2009-03-15 11:36 25564 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-07-02 06:30 . 2009-03-26 12:32 -------- d-----w- c:\program files\Common Files\Real

2009-07-02 06:27 . 2009-03-03 15:25 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-02 06:23 . 2009-02-21 11:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-01 20:30 . 2009-02-13 13:56 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat

2009-07-01 17:55 . 2009-03-08 09:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-06-26 12:15 . 2009-06-26 12:15 -------- d-----w- c:\documents and settings\Naam\Application Data\URSoft

2009-06-24 09:56 . 2009-02-24 09:21 -------- d-----w- c:\program files\Utorrent

2009-06-23 16:46 . 2009-05-15 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2

2009-06-13 11:07 . 2009-04-28 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-12 13:03 . 2009-02-13 13:19 78296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-11 16:54 . 2009-02-17 16:52 -------- d-----w- c:\program files\Windows Desktop Search

2009-06-06 12:25 . 2009-03-08 09:30 -------- d-----w- c:\program files\CCleaner

2009-05-24 22:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll

2009-05-20 13:06 . 2009-03-15 11:37 94643 ----a-w- c:\windows\system32\drivers\klick.dat

2009-05-20 13:06 . 2009-03-15 11:37 105395 ----a-w- c:\windows\system32\drivers\klin.dat

2009-05-18 15:33 . 2008-01-29 16:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys

2009-05-18 15:33 . 2009-03-15 11:46 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys

2009-05-18 15:33 . 2009-03-15 11:46 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-05-15 16:28 . 2009-05-15 16:28 -------- d-----w- c:\program files\Maxis

2009-05-15 16:04 . 2009-05-15 16:04 -------- d-----w- c:\program files\MessengerDiscovery 2

2009-05-13 05:06 . 2002-12-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 14:39 . 2009-03-14 13:23 -------- d-----w- c:\program files\MessengerDiscovery

2009-05-12 13:12 . 2009-02-13 14:32 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2009-05-12 13:09 . 2009-05-09 10:28 -------- d-----w- c:\program files\Privacy Guardian

2009-05-10 12:09 . 2009-04-26 13:02 -------- d-----w- c:\program files\SopCast

2009-05-10 10:37 . 2009-05-10 09:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Download Manager

2009-05-07 15:34 . 2002-12-31 12:00 347136 ----a-w- c:\windows\system32\localspl.dll

2009-05-04 13:15 . 2009-05-04 13:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\MiniDm

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-05-01 11:56 . 2009-05-01 11:56 39424 ----a-w- c:\windows\zipinst.exe

2009-05-01 11:06 . 2002-12-31 12:00 537198 ----a-w- c:\windows\system32\perfh013.dat

2009-05-01 11:06 . 2002-12-31 12:00 101340 ----a-w- c:\windows\system32\perfc013.dat

2009-04-19 19:51 . 2002-12-31 12:00 1847296 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:55 . 2002-12-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-04-05 16:41 . 2002-12-31 12:00 219136 ----a-w- c:\windows\system32\uxtheme(2).dll

2009-04-05 14:05 . 2009-04-05 14:04 47864 ----a-w- c:\documents and settings\School.GOT2BE-3B3BB2DE.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-04 13:44 . 2009-02-27 07:58 1878888 ----a-w- c:\program files\install_flash_player.exe

2009-04-04 13:00 . 2009-04-04 13:00 318904 ----a-w- c:\program files\wmpfirefoxplugin.exe

2009-04-04 12:59 . 2009-04-04 12:59 2028 ----a-w- c:\program files\Adobe Downloads wordt hervat.lnk

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartupFaster"="c:\program files\Startup Faster\startuploader.exe" [2008-09-07 1402080]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-03-15 206088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Utorrent\\utorrent.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=

"c:\\Program Files\\Utorrent\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto Vice City\\lcmp-svr.exe"=

"c:\\Program Files\\Rockstar Games\\Midnight Club II Demo\\mc2_demo.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29-1-2008 18:29 33808]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [15-3-2009 14:07 210216]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13-3-2008 19:02 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30-4-2008 18:06 24592]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4-4-2009 14:59 33176]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Inhoud van de 'Gedeelde Taken' map

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1425521274-839522115-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-13 10:15]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1425521274-839522115-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-13 10:15]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://google.nl/

uInternet Settings,ProxyOverride = *.local

IE: &Block This Image (ABP)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Toevoegen aan de Banner Ad Blokker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1xxqwj5g.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (nl)

FF - prefs.js: browser.startup.homepage - Google

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-07-02 09:04

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1425521274-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,df,50,98,31,4f,5b,4a,91,17,45,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,df,50,98,31,4f,5b,4a,91,17,45,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(1764)

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\searchindexer.exe

c:\program files\Java\jre6\bin\jusched.exe

c:\program files\Startup Faster\SFAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Voltooingstijd: 2009-07-02 9:09 - machine werd herstart

ComboFix-quarantined-files.txt 2009-07-02 07:09

ComboFix2.txt 2009-05-14 05:23

Pre-Run: 13.723.881.472 bytes beschikbaar

Post-Run: 13.616.316.416 bytes beschikbaar

196 --- E O F --- 2009-06-24 12:27

[kape]

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\system32\drivers\klick.dat

c:\windows\system32\drivers\klin.dat

Folder::

C:\found.002

C:\found.001

Driver::

klick

klin

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

[jantje02]

ComboFix 09-07-01.01 - Administrator 02-07-2009 9:50.10 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.503.179 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Administrator\Bureaublad\CFScript.txt

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::

"c:\windows\system32\drivers\klick.dat"

"c:\windows\system32\drivers\klin.dat"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\found.001

c:\found.001\file0000.chk

C:\found.002

c:\found.002\dir0000.chk\Desktop.ini

c:\found.002\dir0000.chk\naamloos.lnk

c:\windows\system32\drivers\klick.dat . . . . konden niet verwijderd worden

c:\windows\system32\drivers\klin.dat . . . . konden niet verwijderd worden

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-06-02 to 2009-07-02 ))))))))))))))))))))))))))))))

.

2009-07-02 07:56 . 2009-07-02 07:56 94643 ------w- c:\windows\system32\drivers\klick.dat

2009-07-02 07:56 . 2009-07-02 07:56 105395 ------w- c:\windows\system32\drivers\klin.dat

2009-07-02 06:34 . 2009-07-02 07:35 -------- d--h--r- c:\documents and settings\Administrator\Onlangs geopend

2009-06-27 09:53 . 2009-06-27 09:53 -------- d-----w- c:\documents and settings\Administrator\.jagex_cache_32

2009-06-27 08:03 . 2009-06-27 08:03 -------- d-----w- C:\.jagex_cache_32

2009-06-26 12:40 . 2009-06-26 12:40 34 ----a-w- c:\documents and settings\Naam\jagex_runescape_preferences.dat

2009-06-26 12:14 . 2009-02-13 08:13 -------- d--h--w- c:\documents and settings\Naam\Netwerkprinteromgeving

2009-06-26 12:14 . 2009-02-13 08:13 -------- d-----r- c:\documents and settings\Naam\Menu Start

2009-06-26 12:14 . 2009-02-13 07:17 -------- d--h--w- c:\documents and settings\Naam\Sjablonen

2009-06-24 11:08 . 2009-06-24 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SwiftKit

2009-06-24 11:08 . 2009-06-27 08:43 -------- d-----w- c:\program files\SwiftKit

2009-06-13 17:53 . 2009-06-13 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss

2009-06-11 15:32 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-06-11 15:32 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-02 07:59 . 2009-02-28 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-02 07:58 . 2009-02-14 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-07-02 07:55 . 2009-03-15 11:36 679968 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-07-02 07:55 . 2009-03-15 11:36 4452 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-07-02 07:55 . 2009-03-15 11:36 2999840 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-07-02 07:55 . 2009-03-15 11:36 25564 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-07-02 06:30 . 2009-03-26 12:32 -------- d-----w- c:\program files\Common Files\Real

2009-07-02 06:27 . 2009-03-03 15:25 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-02 06:23 . 2009-02-21 11:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-07-01 20:30 . 2009-02-13 13:56 34 ----a-w- c:\documents and settings\Administrator\jagex_runescape_preferences.dat

2009-07-01 17:55 . 2009-03-08 09:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-06-26 12:15 . 2009-06-26 12:15 -------- d-----w- c:\documents and settings\Naam\Application Data\URSoft

2009-06-24 09:56 . 2009-02-24 09:21 -------- d-----w- c:\program files\Utorrent

2009-06-23 16:46 . 2009-05-15 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\MessengerDiscovery 2

2009-06-13 11:07 . 2009-04-28 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-12 13:03 . 2009-02-13 13:19 78296 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-11 16:54 . 2009-02-17 16:52 -------- d-----w- c:\program files\Windows Desktop Search

2009-06-06 12:25 . 2009-03-08 09:30 -------- d-----w- c:\program files\CCleaner

2009-05-24 22:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll

2009-05-18 15:33 . 2008-01-29 16:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys

2009-05-18 15:33 . 2009-03-15 11:46 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys

2009-05-18 15:33 . 2009-03-15 11:46 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-05-15 16:28 . 2009-05-15 16:28 -------- d-----w- c:\program files\Maxis

2009-05-15 16:04 . 2009-05-15 16:04 -------- d-----w- c:\program files\MessengerDiscovery 2

2009-05-13 05:06 . 2002-12-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-12 14:39 . 2009-03-14 13:23 -------- d-----w- c:\program files\MessengerDiscovery

2009-05-12 13:12 . 2009-02-13 14:32 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2009-05-12 13:09 . 2009-05-09 10:28 -------- d-----w- c:\program files\Privacy Guardian

2009-05-10 12:09 . 2009-04-26 13:02 -------- d-----w- c:\program files\SopCast

2009-05-10 10:37 . 2009-05-10 09:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Download Manager

2009-05-07 15:34 . 2002-12-31 12:00 347136 ----a-w- c:\windows\system32\localspl.dll

2009-05-04 13:15 . 2009-05-04 13:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\MiniDm

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-05-01 11:56 . 2009-05-01 11:56 39424 ----a-w- c:\windows\zipinst.exe

2009-05-01 11:06 . 2002-12-31 12:00 537198 ----a-w- c:\windows\system32\perfh013.dat

2009-05-01 11:06 . 2002-12-31 12:00 101340 ----a-w- c:\windows\system32\perfc013.dat

2009-04-19 19:51 . 2002-12-31 12:00 1847296 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:55 . 2002-12-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-04-05 16:41 . 2002-12-31 12:00 219136 ----a-w- c:\windows\system32\uxtheme(2).dll

2009-04-05 14:05 . 2009-04-05 14:04 47864 ----a-w- c:\documents and settings\School.GOT2BE-3B3BB2DE.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-04 13:44 . 2009-02-27 07:58 1878888 ----a-w- c:\program files\install_flash_player.exe

2009-04-04 13:00 . 2009-04-04 13:00 318904 ----a-w- c:\program files\wmpfirefoxplugin.exe

2009-04-04 12:59 . 2009-04-04 12:59 2028 ----a-w- c:\program files\Adobe Downloads wordt hervat.lnk

.

((((((((((((((((((((((((((((( SnapShot@2009-07-02_07.04.01 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-02 07:56 . 2009-07-02 07:56 16384 c:\windows\Temp\Perflib_Perfdata_198.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartupFaster"="c:\program files\Startup Faster\startuploader.exe" [2008-09-07 1402080]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-03-15 206088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Utorrent\\utorrent.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=

"c:\\Program Files\\Utorrent\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Rockstar Games\\Grand Theft Auto Vice City\\lcmp-svr.exe"=

"c:\\Program Files\\Rockstar Games\\Midnight Club II Demo\\mc2_demo.exe"=

"c:\\Program Files\\IEPro\\MiniDM.exe"=

"c:\\Program Files\\Counter-Strike 1.6\\hlds.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29-1-2008 18:29 33808]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [15-3-2009 14:07 210216]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13-3-2008 19:02 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30-4-2008 18:06 24592]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [4-4-2009 14:59 33176]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Inhoud van de 'Gedeelde Taken' map

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://google.nl/

uInternet Settings,ProxyOverride = *.local

IE: &Block This Image (ABP)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Toevoegen aan de Banner Ad Blokker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1xxqwj5g.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (nl)

FF - prefs.js: browser.startup.homepage - Google

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-07-02 09:57

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1425521274-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,df,50,98,31,4f,5b,4a,91,17,45,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,df,50,98,31,4f,5b,4a,91,17,45,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2932)

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\searchindexer.exe

c:\program files\Java\jre6\bin\jusched.exe

c:\program files\Startup Faster\SFAgent.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Voltooingstijd: 2009-07-02 10:06 - machine werd herstart

ComboFix-quarantined-files.txt 2009-07-02 08:06

ComboFix2.txt 2009-07-02 07:09

ComboFix3.txt 2009-05-14 05:23

Pre-Run: 13.607.333.888 bytes beschikbaar

Post-Run: 13.595.279.360 bytes beschikbaar

204 --- E O F --- 2009-06-24 12:27

---------- Post added at 08:11 ---------- Previous post was at 08:09 ----------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:07:30, on 2-7-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Startup Faster\sfAgent.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [startupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: StartupFaster

O4 - Global Startup: StartupFaster

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Toevoegen aan de Banner Ad Blokker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: Statistieken bescherming internetverkeer - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234729934546

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5560/mcfscan.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 7800 bytes

[kape]

Nog even dit :

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Rootkit::

c:\windows\system32\drivers\klick.dat

c:\windows\system32\drivers\klin.dat

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt. En post dan het nieuwe log van Combofix.