[OPGELOST] SystemSecurity virus, veilige modus onbereikbaar

[Marien-B]

Hallo,

Sinds een uurtje geleden heb ik ook dit virus op mn laptop. Ik heb al het een en ander rondgezocht op internet, ook op dit forum, en heb al verschillende aanpakken gelezen.

Het probleem is echter: Al deze manieren gaan via de veilige modus.. en die kom ik niet in..

Ik heb een MSI Wind laptop, en als ik hem aanzet, kan ik alleen op F3 klikken om de hele laptop te resetten oid.. daar wil ik nog niet aankomen, dus ik heb F8 geprobeerd, maar het enige resultaat is dat hij blijft hangen op het zwarte scherm, voor het windows scherm, waar F3 staat.. Als ik F8 loslaat dan start windows op..

Eenmaal in windows sluit Systemsecurity alles af, kan niks opstarten, dus ook 'uitvoeren' en boot.ini aanpassen gaat niet.

Ook als ik boot.ini op mn schijf gevonden heb, kan ik hem niet openen, omdat kladblok niet werkt.

Ik hoop dat iemand me hier kan helpen.. :s

[kape]

Probeer eens of je de - in de andere topics aangeboden - tooltjes (HiJackThis, Malwarebytes, Combofix) via een andere PC kan downloaden op een USB-stick ... en dan via deze stick de programma's starten op de besmette PC ?

[Marien-B]

Ah chill, ik kom via F11 in een menutje. Zit nu in veilige modus en heb die 3 progjes op n stick erbij. Ik ga er ff mee aan de gang

---------- Post toegevoegd om 20:01 ---------- Vorige post was om 19:56 ----------

Dit is mn Hijack-logje:

Scan saved at 21:57:48, on 20-7-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com.tw

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe

O4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [12457184] C:\Documents and Settings\All Users\Application Data\12457184\12457184.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Bluetooth Manager.lnk = ?

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{443BF7F4-DBCB-486F-A486-91E162D5D912}: NameServer = 62.177.144.11,82.204.127.40

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 5075 bytes

Kun jij zien of er foute dingen instaan Kape??

Alvast bedankt!

[kape]

Kun jij zien of er foute dingen instaan Kape??

Alvast bedankt!

Zeker en vast foute boel in log :s

Start Hijackthis op. Ben je gebruiker van Vista kies dan voor “Run as administrator" of "Uitvoeren als administrator". Selecteer “Do a system scan only”. Selecteer alleen de items die hieronder zijn genoemd:

O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [12457184] C:\Documents and Settings\All Users\Application Data\12457184\12457184.exe

Klik op 'Fix checked' om de items te verwijderen.

Probeer dan als volgende eerst Malwarebytes !

[Marien-B]

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Dat is net zoiets als de RTHDCPL die erboven staat..

Agics - Wat is ALCMTR.EXE (Realtek Event Monitor) en wat doet het ?

Toch wel verwijderen??

[Marien-B]

Heb de Hijackdingen verwijderd met, toen kon ik gelukkig weer normaal opstarten, daarna Malware eroverheen gedraait en een stuk of 10 'fake trojans' oid verwijderd.

Toen Combofix geinstalleerd, Nod32 uitgezet en toen kreeg ik een melding van 'rootkit activiteit'. Ik heb wat dingen op moeten schrijven (.dll en .dat in system32), hij moest opnieuw opstarten en dit is de uitkomst van het combofix:

omboFix 09-07-20.01 - Marien 20-07-2009 23:05.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1013.731 [GMT 2:00]

Gestart vanuit: I:\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\ALLUSE~1\APPLIC~1\12457184

c:\docume~1\ALLUSE~1\APPLIC~1\12457184\12457184

c:\docume~1\ALLUSE~1\APPLIC~1\12457184\12457184.exe

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\Installer\2440e.msp

c:\windows\Installer\3017d1.msi

c:\windows\system32\drivers\geyekrrgrxdorg.sys

c:\windows\system32\geyekriltbbrox.dll

c:\windows\system32\geyekrjxcevrwo.dat

c:\windows\system32\geyekrrsqtqwuh.dll

c:\windows\system32\geyekrsvpxuwqi.dat

----- BITS: Mogelijk geïnfecteerde sites -----

hxxp://binuser.fileave.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_geyekrtfubqakl

(((((((((((((((((((( Bestanden Gemaakt van 2009-06-20 to 2009-07-20 ))))))))))))))))))))))))))))))

.

2009-07-20 20:49 . 2009-07-20 20:49 -------- d-sh--w- c:\documents and settings\Marien\Onlangs geopend

2009-07-20 20:26 . 2009-07-20 20:26 -------- d-----w- c:\documents and settings\Marien\Application Data\Malwarebytes

2009-07-20 20:12 . 2009-07-20 20:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-20 20:11 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-20 20:11 . 2009-07-20 20:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-20 20:11 . 2009-07-20 20:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes

2009-07-20 20:11 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-20 19:57 . 2009-07-20 19:57 -------- d-----w- c:\program files\Trend Micro

2009-07-20 18:12 . 2009-07-20 18:13 8192 ----a-w- C:\qlhbde.exe

2009-07-20 18:10 . 2009-07-20 18:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2009-07-20 17:35 . 2009-07-20 17:35 -------- d-----w- c:\program files\Elaborate Bytes

2009-07-20 17:30 . 2009-07-20 17:30 -------- d-----w- c:\documents and settings\Marien\Application Data\ArcSoft

2009-07-20 17:12 . 2009-07-20 17:46 -------- d-----w- c:\windows\ehome

2009-07-20 17:09 . 2009-07-20 17:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ArcSoft

2009-07-20 17:09 . 2009-07-20 17:45 -------- d-----w- c:\program files\ArcSoft

2009-07-20 17:08 . 2009-07-20 17:08 -------- d-----w- c:\windows\Downloaded Installations

2009-07-20 16:47 . 2009-07-20 16:47 -------- d-----w- c:\documents and settings\Marien\Local Settings\Application Data\Cyberlink

2009-07-20 16:45 . 2009-07-20 16:45 -------- d-----w- c:\program files\Common Files\CyberLink

2009-07-20 16:42 . 2009-07-20 16:41 29480 ----a-w- c:\windows\system32\msxml3a.dll

2009-07-20 16:42 . 2009-07-20 16:41 353576 ----a-w- c:\windows\system32\msvcr71.dll

2009-07-20 16:41 . 2009-07-20 16:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Temp

2009-07-20 16:26 . 2009-07-20 16:26 -------- d-----w- c:\documents and settings\Marien\Application Data\dvdcss

2009-07-06 12:54 . 2008-03-21 11:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll

2009-07-06 10:37 . 2009-07-06 10:36 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys

2009-07-06 10:37 . 2009-07-06 10:36 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys

2009-07-06 10:37 . 2009-07-06 10:36 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll

2009-07-06 10:33 . 2009-07-06 10:33 -------- d-----w- c:\program files\Sony Ericsson

2009-06-22 20:44 . 2009-06-23 15:49 -------- d-----w- c:\documents and settings\Marien\Local Settings\Application Data\ApplicationHistory

2009-06-22 20:44 . 2009-06-22 20:44 129 ----a-w- c:\documents and settings\Marien\Local Settings\Application Data\fusioncache.dat

2009-06-22 20:38 . 2009-06-22 20:38 -------- d-----w- c:\program files\Common Files\SpellEx

2009-06-22 20:38 . 2004-02-04 08:27 49536 ----a-w- c:\windows\system32\drivers\tiehdusb.sys

2009-06-22 20:38 . 2004-01-28 13:03 21456 ----a-w- c:\windows\system32\drivers\SilvrLnk.sys

2009-06-22 20:37 . 2009-06-22 20:37 -------- d-----w- c:\program files\Common Files\TI Shared

2009-06-22 20:37 . 2009-06-22 20:38 -------- d-----w- c:\program files\TI Education

2009-06-22 20:34 . 2009-06-22 20:34 -------- d-----w- c:\windows\system32\URTTEMP

2009-06-22 20:30 . 2009-06-22 20:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-20 18:11 . 2008-08-26 11:01 -------- d-----w- c:\program files\Common Files\InstallShield

2009-07-20 17:45 . 2008-08-26 11:01 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-20 16:47 . 2008-10-24 20:21 -------- d-----w- c:\documents and settings\Marien\Application Data\CyberLink

2009-07-20 16:47 . 2008-10-24 19:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\CyberLink

2009-07-20 16:41 . 2007-12-12 14:41 505128 ----a-w- c:\windows\system32\msvcp71.dll

2009-07-20 15:01 . 2008-10-20 18:45 -------- d-----w- c:\documents and settings\Marien\Application Data\GrabIt

2009-07-06 12:54 . 2009-07-06 12:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf

2009-07-06 12:54 . 2009-07-06 12:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2009-06-23 09:11 . 2008-08-26 15:25 82680 ----a-w- c:\windows\system32\perfc013.dat

2009-06-23 09:11 . 2008-08-26 15:25 468780 ----a-w- c:\windows\system32\perfh013.dat

2009-06-22 20:41 . 2008-10-20 15:39 71912 ----a-w- c:\documents and settings\Marien\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-17 17:20 . 2009-06-16 21:43 -------- d-----w- c:\program files\Pinnacle

2009-06-16 21:40 . 2009-06-16 21:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Pinnacle

2009-06-16 14:40 . 2008-08-26 15:25 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:40 . 2008-08-26 15:25 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 21:02 . 2009-02-20 16:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\pdf995

2009-06-03 21:02 . 2009-02-20 16:10 59 ----a-w- c:\windows\wpd99.drv

2009-06-03 19:11 . 2008-08-26 15:25 1295360 ----a-w- c:\windows\system32\quartz.dll

2009-06-03 17:08 . 2009-06-03 17:07 -------- d-----w- c:\program files\iTunes

2009-06-03 17:08 . 2009-06-03 17:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-03 17:07 . 2009-06-03 17:07 -------- d-----w- c:\program files\iPod

2009-06-03 17:07 . 2008-10-20 18:52 -------- d-----w- c:\program files\Common Files\Apple

2009-06-03 17:03 . 2009-06-03 17:02 -------- d-----w- c:\program files\QuickTime

2009-06-01 11:42 . 2009-06-01 11:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Advanced Chemistry Development

2009-06-01 11:42 . 2009-06-01 11:40 -------- d-----w- c:\documents and settings\Marien\Application Data\Advanced Chemistry Development

2009-06-01 11:42 . 2009-06-01 11:41 -------- d-----w- c:\program files\ACDFREE12

2009-05-25 12:16 . 2009-05-25 12:16 134312 ----a-w- c:\windows\system32\ElbyVCD.dll

2009-05-25 12:01 . 2009-05-25 12:01 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll

2009-05-22 23:08 . 2009-05-22 23:08 29696 ----a-w- c:\windows\system32\drivers\VClone.sys

2009-05-22 18:32 . 2009-03-20 18:12 73728 ----a-w- c:\windows\system32\MMCEDT3.exe

2009-05-22 13:49 . 2009-02-19 12:22 91392 ----a-w- c:\windows\system32\drivers\ArcHlp.sys

2009-05-15 18:19 . 2008-10-21 14:47 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-05-07 15:34 . 2008-08-26 15:25 347136 ----a-w- c:\windows\system32\localspl.dll

2009-04-29 04:46 . 2008-08-26 15:25 669696 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:46 . 2008-08-26 15:25 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-06-14 21:22 . 2008-10-20 16:36 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

------- Sigcheck -------

[-] 2008-04-15 12:00 979456 0667A612D847BD87667F3CB1FC4C0D6C c:\windows\explorer.exe

[-] 2008-04-15 12:00 979456 0667A612D847BD87667F3CB1FC4C0D6C c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]

"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-07-29 684032]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-08 16862208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\Marien\Menu Start\Programma's\Opstarten\

RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]

c:\docume~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [19-2-2009 14:22 91392]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [13-3-2008 17:52 33800]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [13-3-2008 17:49 472320]

R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [26-8-2008 13:13 159744]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [26-8-2008 13:07 156160]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [20-10-2008 23:29 625792]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [6-7-2009 12:37 13224]

S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [22-10-2008 15:49 13225]

S3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [26-8-2008 13:09 306176]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.msi.com.tw

uInternet Settings,ProxyOverride = *.local

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {443BF7F4-DBCB-486F-A486-91E162D5D912} = 62.177.144.11,82.204.127.40

FF - ProfilePath - c:\docume~1\Marien\APPLIC~1\Mozilla\Firefox\Profiles\qibidabu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.symbaloo.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-07-20 23:10

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,d1,a2,f2,c4,6f,

36,85,be,c8,28,51,af,b0,29,a3,98,f0,52,69,8c,a1,ea,47,9e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,2a,f4,f0,22,12,

e5,fa,94,71,3b,04,66,8b,46,0d,96,39,f6,8a,65,f1,ca,63,81,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2a,57,b6,f0,6d,

ba,89,f0,25,da,ec,7e,55,20,c9,26,1f,1f,6a,0f,1d,24,b4,39,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,76,c7,43,6c,44,

54,9a,ba,3e,1e,9e,e0,57,5a,93,61,99,ad,bb,e1,6e,4a,37,f3,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,68,48,1d,34,cf,

c7,1a,85,cd,44,cd,b9,a6,33,6c,cd,a0,fd,25,bc,5d,f0,91,a2,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,e7,3a,cb,db,7a,

89,2d,94,b0,18,ed,a7,3f,8d,37,a4,49,2c,16,8d,34,54,e0,7b,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,dd,4c,06,e0,9e,

93,0e,8d,31,77,e1,ba,b1,f8,68,02,c7,5e,20,33,4c,ad,1d,27,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,2c,a5,55,54,48,

8b,bd,0f,83,6c,56,8b,a0,85,96,ab,d9,ab,92,fd,03,45,f3,c3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,26,a1,45,8a,ed,

59,6e,fb,51,fa,6e,91,28,9e,14,cc,17,ad,2e,e1,ba,98,d0,a4,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,d2,06,f7,1e,52,

8b,f3,c4,b1,cd,45,5a,a8,c4,f8,b9,07,31,a3,36,38,e9,83,8a,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,35,54,28,f3,1f,

3c,5f,06,e3,0e,66,d5,eb,bc,2f,6b,24,bd,88,b9,4b,24,01,0d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,54,c7,7d,62,1b,

d3,1d,9e,fa,ea,66,7f,d4,3b,6b,70,e9,c2,00,8c,69,73,f0,63,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

Voltooingstijd: 2009-07-20 23:11

ComboFix-quarantined-files.txt 2009-07-20 21:11

Pre-Run: 24.458.145.792 bytes beschikbaar

Post-Run: 24.504.045.568 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

250 --- E O F --- 2009-07-16 14:48

Daarna, nog eens Hijackthis eroverheen:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:15:14, on 20-7-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\System Control Manager\MSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\System Control Manager\MGSysCtrl.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe

O4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{443BF7F4-DBCB-486F-A486-91E162D5D912}: NameServer = 62.177.144.11,82.204.127.40

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 6406 bytes

Ziet dit er al beter uit??

Alles doet het verder, (bureaublad)instellingen zijn een beetje overhoop maar alles doet het gelukkig weer

[kape]

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Agics - Wat is ALCMTR.EXE (Realtek Event Monitor) en wat doet het ?

Toch wel verwijderen??

Feit is dat je ALCMTR.EXE niet verwijdert, maar enkel uit de opstart haalt. Want dit onderdeel van Realtek stuurt info door naar de makers van dit programma = een goedaardige vorm van spyware ... maar toch spyware :s

Kijk HIER even.

En wat de rest betreft : dit ziet er zelfs fantastisch goed uit ... voor nét na zulk een probleem

Verwijder volgende vetgedrukte bestand met Windows Verkenner :

C:\qlhbde.exe

en dan kunnen we de resten van de besmetting gaan opruimen.

Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u

Dit zal Combofix verwijderen + gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en maakt een nieuw herstelpunt.

Verwijder volgende vetgedrukte map met Windows Verkenner :

C:\Qoobox (indien nog aanwezig).

Download CCleaner.

Installeer het en start CCleaner op. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Soms is 1 analyse niet voldoende. Deze procedure mag je herhalen tot de analyse geen fouten meer aangeeft. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen. Doe dit via Start -> Configuratiescherm -> Systeem -> Systeemherstel -> "Systeemherstel op alle stations uitschakelen" aanvinken. Toepassen en OK. PC herstarten en het vinkje terug weg halen.

That's it !

[kape]

We nemen - op basis van het eerder bericht - aan dat dit probleem opgelost is en sluiten dan ook dit topic.