[OPGELOST] explorer.exe aangetast en taakbeheer uitegeschakeld.

Gisteren had ik een of ander bestand gedownload en dat bleek een virus te zijn.

Ik kon taakbeheer niet meer openen (wat ik inmiddels al heb kunnen oplossen met een register edit).

En explorer.exe viel altijd uit en aan, de pc was onhandelbaar maar dat heb ik inmiddels ook kunnen verhelpen door een kopie te nemen van explorer.exe en dat te hernoemen naar explorerer.exe en ipv van explorer.exe te laten opstarten heb ik explorerer.exe laten opstarten (ook dmv een register edit)

maar nu zit ik nog altijd met die spyware/malware/virus op mijn pc.

Ik heb ook al combofix en hijackthis en vundofix laten lopen maar vundofix heeft niks gevonden.

ComboFix 08-04-18.3 - Tibbout 2008-04-20 9:06:44.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.104 [GMT 2:00]

Gestart vanuit: C:\Documents and Settings\Tibbout\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Tibbout\Bureaublad\WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe

* Nieuw herstelpunt werd aangemaakt

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\AyJQAcfe.ini

C:\WINDOWS\system32\AyJQAcfe.ini2

C:\WINDOWS\system32\efcAQJyA.dll

C:\WINDOWS\system32\iifdaYOg.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NWSAPAGENT

-------\Service_NwSapAgent

(((((((((((((((((((( Bestanden Gemaakt van 2008-03-20 to 2008-04-20 ))))))))))))))))))))))))))))))

.

2008-04-20 08:53 . 2008-04-20 08:53 <DIR> d-------- C:\VundoFix Backups

2008-04-19 20:38 . 2008-04-19 20:38 <DIR> dr-h----- C:\Documents and Settings\Tibbout\Onlangs geopend

2008-04-19 20:26 . 2007-06-13 15:24 1,036,800 --a------ C:\WINDOWS\explorerer.exe

2008-04-19 20:24 . 2008-04-19 20:24 <DIR> dr-h----- C:\Documents and Settings\Cedric\Onlangs geopend

2008-04-19 19:54 . 2008-04-19 20:47 <DIR> dr-h----- C:\$VAULT$.AVG

2008-04-19 19:33 . 2008-04-19 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EarMaster

2008-04-18 18:37 . 2008-04-18 18:37 <DIR> d-------- C:\Documents and Settings\Cedric\Incomplete

2008-04-18 18:37 . 2008-04-18 18:42 <DIR> d-------- C:\Documents and Settings\Cedric\Application Data\FrostWire

2008-04-18 18:36 . 2008-04-18 18:36 <DIR> d-------- C:\Documents and Settings\Cedric\Application Data\Ipswitch

2008-04-13 14:37 . 2008-04-13 14:37 <DIR> d-------- C:\Documents and Settings\Gast\Application Data\Ipswitch

2008-04-10 17:33 . 2008-04-10 17:33 <DIR> d-------- C:\Restoration

2008-04-09 13:03 . 2008-04-09 13:07 <DIR> d-------- C:\Program Files\Uniblue

2008-04-09 13:03 . 2008-04-09 13:07 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\Uniblue

2008-04-06 12:35 . 2008-04-06 12:52 <DIR> d-------- C:\Program Files\Poke

2008-04-01 19:08 . 2008-04-01 19:10 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\CoreFTP

2008-04-01 19:07 . 2008-04-01 19:07 <DIR> d-------- C:\Program Files\CoreFTP

2008-04-01 17:27 . 2008-04-01 17:27 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\Ipswitch

2008-04-01 17:26 . 2008-04-01 17:26 <DIR> d-------- C:\Program Files\Ipswitch

2008-04-01 17:26 . 2008-04-01 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch

2008-04-01 17:26 . 2005-02-28 12:37 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx

2008-04-01 17:26 . 2005-02-28 12:37 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll

2008-04-01 17:25 . 2008-04-01 17:25 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\InstallShield

2008-04-01 11:11 . 2008-04-01 11:11 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\Malwarebytes

2008-04-01 11:11 . 2008-04-01 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-01 11:06 . 2008-04-01 11:06 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\uk.co.planetside

2008-04-01 10:26 . 2008-04-01 10:26 <DIR> d-------- C:\Program Files\Terragen

2008-04-01 10:15 . 2008-04-01 10:30 <DIR> d-------- C:\Documents and Settings\Tibbout\Application Data\Dexpot

2008-04-01 10:00 . 2002-04-19 00:50 73,728 --a------ C:\WINDOWS\system32\GkSui18.EXE

2008-03-29 12:39 . 2008-03-29 12:39 <DIR> d-------- C:\Program Files\Rockstar Games

2008-03-22 23:21 . 2008-03-22 23:22 <DIR> d-------- C:\Program Files\InterActual

2008-03-22 22:08 . 2008-03-22 21:42 165,939 --a------ C:\screenshot2.jpg

2008-03-22 22:06 . 2008-03-22 21:23 187,902 --a------ C:\screenshot.jpg

2008-03-22 21:11 . 2008-04-09 14:22 <DIR> d-------- C:\Program Files\BPK

2008-03-22 10:07 . 2008-03-22 10:07 <DIR> d-------- C:\Documents and Settings\Cedric\Application Data\AdobeUM

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-20 06:39 --------- d-----w C:\Program Files\LogMeIn

2008-04-19 18:32 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\AVG7

2008-04-14 17:04 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\FrostWire

2008-04-11 17:45 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 16:16 --------- d-----w C:\Program Files\FrostWire

2008-04-09 11:46 --------- d-----w C:\Program Files\AvRack

2008-04-04 12:58 --------- d-----w C:\Program Files\Opera

2008-04-01 12:27 --------- d-----w C:\Program Files\Java

2008-03-15 13:29 --------- d-----w C:\Program Files\DAEMON Tools Lite

2008-03-15 13:17 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2008-03-15 13:15 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\DAEMON Tools

2008-03-15 12:21 --------- d-----w C:\Program Files\2 Pic

2008-03-15 12:17 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\VSRevoGroup

2008-03-14 20:45 --------- d-----w C:\Program Files\directx

2008-03-11 17:53 --------- d-----w C:\Program Files\Auslogics

2008-03-11 17:28 --------- d-----w C:\Program Files\IObit

2008-03-11 17:15 --------- d-----w C:\Program Files\VS Revo Group

2008-03-11 16:44 --------- d-----w C:\Program Files\YouTube Downloader

2008-03-11 16:40 --------- d-----w C:\Program Files\Telemeter 3.0

2008-03-11 16:40 --------- d-----w C:\Program Files\NCH Swift Sound

2008-03-11 16:40 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\NCH Swift Sound

2008-03-11 16:39 --------- d-----w C:\Program Files\NCH Software

2008-03-11 16:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

2008-03-11 16:38 --------- d-----w C:\Program Files\Octoshape Streaming Services

2008-03-07 20:53 --------- d-----w C:\Program Files\MessengerDiscovery 2

2008-03-03 17:39 --------- d-----w C:\Program Files\CCleaner

2008-03-03 09:05 --------- d-----w C:\Program Files\MSN Messenger

2008-03-02 17:23 --------- d-----w C:\Documents and Settings\Gast\Application Data\AVG7

2008-03-02 16:47 --------- d-----w C:\Documents and Settings\Cedric\Application Data\AVG7

2008-03-02 07:54 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\Auslogics

2008-02-26 19:09 --------- d-----w C:\Program Files\Windows Live

2008-02-26 19:08 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller

2008-02-26 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller

2008-02-26 17:16 --------- d-----w C:\Program Files\Windows Live Safety Center

2008-02-25 20:13 --------- d-----w C:\Documents and Settings\Tibbout\Application Data\Easy Computing

2008-02-25 18:59 --------- d-----w C:\Program Files\Easy Computing

2008-02-22 18:02 --------- d-----w C:\Program Files\AviSynth 2.5

2008-02-21 18:25 --------- d-----w C:\Program Files\Common Files\Adobe

2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll

2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll

2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 16:58 579584]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-05 11:17 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microtek Scanner Finder.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microtek Scanner Finder.lnk

backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Utility Tray.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Utility Tray.lnk

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

--a------ 2004-10-07 20:50 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoostSpeed]

--a------ 2008-01-19 16:39 1927168 C:\Program Files\Auslogics\AusLogics BoostSpeed\boostspeed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-02-14 01:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisableMouse]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnableMouse]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HideWin]

C:\DOCUME~1\Tibbout\LOCALS~1\Temp\Tijdelijke map 3 voor hidewin.zip\hidewin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-04 06:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2005-03-28 13:30 315392 C:\Program Files\Launch Manager\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

--a------ 2007-04-17 15:03 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--a------ 2005-03-09 19:59 49152 C:\Program Files\Arcade\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-04 06:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-04 06:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-04 20:40 98304 C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2005-02-23 12:13 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Telemeter 3.0]

C:\Program Files\Telemeter 3.0\telemeter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AVGEMS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 15:00]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 12:55]

R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 16:57]

R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]

R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 02:43]

S3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 15:46]

S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-15 22:18]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Inhoud van de 'Gedeelde Taken' map

"2008-04-04 17:20:40 C:\WINDOWS\Tasks\Easy Onderhoud.job"

- C:\Program Files\TuneUp Utilities 2008\OneClick.exe

"2008-04-09 11:03:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-04-09 11:03:50 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-20 09:14:51

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 364

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Acer\eManager\anbmServ.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\LogMeIn\x86\ramaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\UPHClean\uphclean.exe

C:\PROGRA~1\Grisoft\AVG7\avginet.exe

.

**************************************************************************

.

Voltooingstijd: 2008-04-20 9:25:27 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-20 07:25:08

Pre-Run: 14,572,998,656 bytes beschikbaar

Post-Run: 14,498,574,336 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=AllwaysOff

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

216 --- E O F --- 2008-04-12 16:51:31

Logfile of HijackThis v1.99.1

Scan saved at 9:34:00, on 20/04/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Tibbout\Mijn documenten\software\anti-virus\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Windows Live Help

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKCU\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

Hoi Tibzie,

1. Open kladblok en kopieer en plak volgende vetgedrukte erin:

(vergeet REGEDIT4 niet te kopieren en plakken!)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=-

Sla dit op als fix.reg kies voor opslaan als *alle bestanden en plaats het op je bureaublad.

Dubbelklik erop.

Bij de vraag of je het wilt toevoegen aan het register, klik je op ja/ok.

2. Download Malwarebytes' Anti-Malware via hier of hier.

Dubbelklik mbam-setup.exe om het programma te installeren.

• Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware' en Start Malwarebytes' Anti-Malware' Klik daarna op Voltooien.
  
• Kies in het hoofdscherm voor de tab Scanner en selecteer het keuzerondje Snelle Scan.
  
• Druk op de knop Scan en zorg dat al je harde schijven/partities aangevinkt staan.
  
• Druk dan op de knop Start Scan.
  
• Het scannen kan een tijdje duren, dus wees geduldig.
  
• Wanneer de scan voltooid is, klik OK, daarna Bekijk Resultaten om de resultaten te zien.
  
• Zorg ervoor dat daar alles aangevinkt is daarna klik: Verwijder Selectie.
  
• Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie extra nota onderaan)
  
• De log wordt automatisch bewaard door MBAM die je kan zien door de 'Logs tab' te klikken in MBAM.
  
• Kopieer en plak de resultaten van de log in je volgend antwoord, samen met een nieuw HijackThislog.
  

Extra Nota:

Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de Computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

3. Download Deckard's System Scanner naar je Bureaublad.

• Sluit alle toepassingen en vensters.
  
• Dubbelklik op dss.exe om het te activeren, en volg de aanwijzingen.
  
• Wanneer de scan volledig is, zal een tekstbestand - main.txt - openen.
  
• Kopiëer (Ctrl+A gevolgd door Ctrl+C) en plak (Ctrl+V) de inhoud van main.txt in je volgende antwoord.
  

Opmerking: Sommige firewalls kunnen waarschuwen dat sigcheck.exe probeert verbinding te maken met het internet.

Zorg dat sigcheck.exe toestemming krijgt om dit te doen !

Tevens kan het gebeuren dat je Antivirus DSS als verdacht aangeeft, of zelfs probeert te verwijderen.

Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de scan van DSS je Antivirus even uit te schakelen)

Post de nodige logs.

Succes,

Xeno

Malwarebytes heeft geen infecties gevonden dus is het ook onnodig om de log te posten (ik heb de log nagekeken en er was niks geinfecteerd en niks gevonden)

DSS post:

Deckard's System Scanner v20071014.68

Run by Tibbout on 2008-04-20 17:46:38

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

28: 2008-04-20 15:47:33 UTC - RP28 - Deckard's System Scanner Restore Point

27: 2008-04-20 07:03:20 UTC - RP27 - ComboFix created restore point

26: 2008-04-19 18:58:20 UTC - RP26 - Herstelbewerking

25: 2008-04-19 14:12:07 UTC - RP25 - Controlepunt van systeem

24: 2008-04-17 15:22:15 UTC - RP24 - Controlepunt van systeem

-- First Restore Point --

1: 2008-03-25 17:24:38 UTC - RP1 - Controlepunt van systeem

Backed up registry hives.

Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).

-- HijackThis (run as Tibbout.exe) ---------------------------------------------

Unable to find log (file not found); running clone.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-04-20 17:48:39

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\eManager\anbmServ.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\LogMeIn\x86\ramaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Documents and Settings\Tibbout\Application Data\Opera\Opera\profile\cache4\temporary_download\dss.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Windows Live Help

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKCU\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe

--

End of file - 5159 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Tibbout\MIJNDO~1\software\ANTI-V~1\HIJACK~1\backups\) --------------------------------------------------------------------------------

backup-20080123-165535-830 O4 - HKLM\..\Run: [DShutdown] "C:\DOCUME~1\Tibbout\LOCALS~1\Temp\Tijdelijke map 1 voor dshutdown.zip\DShutdown\DShutdown.exe" /SAVEONEXIT /IP:LocalHost /Shutdown /IP:ACER-10129A827F /Shutdown /IP:DELL /Shutdown

backup-20080123-165535-976 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20080401-111038-651 O3 - Toolbar: (no name) - {FD621E34-BFCE-41D3-BF58-43FF97746AD7} - (no file)

backup-20080401-111038-862 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Internet Doorzoeken :: DAEMON-Search.com

backup-20080419-202159-114 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

backup-20080419-202159-156 O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

backup-20080419-202159-203 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20080419-202159-243 O4 - HKLM\..\Run: [LaunchApp] Alaunch

backup-20080419-202159-249 O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

backup-20080419-202159-292 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

backup-20080419-202159-316 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

backup-20080419-202159-335 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

backup-20080419-202159-381 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://msnia.login.live.com/ppsecure/sha1auth.srf?lc=2067

backup-20080419-202159-398 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

backup-20080419-202159-418 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com

backup-20080419-202159-466 O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

backup-20080419-202159-478 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

backup-20080419-202159-580 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

backup-20080419-202159-673 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

backup-20080419-202159-726 O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

backup-20080419-202200-151 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

backup-20080419-202200-730 O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

backup-20080419-202201-255 O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

backup-20080419-202201-603 O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

backup-20080419-202201-806 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

backup-20080419-202202-162 O11 - Options group: [iNTERNATIONAL] International*

backup-20080419-202202-502 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

backup-20080419-202202-608 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

backup-20080419-202202-810 O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

backup-20080419-202203-283 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

backup-20080419-202204-696 O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

backup-20080419-202204-762 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

backup-20080419-202205-338 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

backup-20080419-202205-428 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

backup-20080419-202205-841 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

backup-20080419-204841-162 O2 - BHO: (no name) - {02540E51-1317-4A95-879D-DFA674857201} - C:\WINDOWS\system32\efcAQJyA.dll

backup-20080419-204842-209 O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - C:\WINDOWS\system32\iifdaYOg.dll

backup-20080419-204843-250 O20 - Winlogon Notify: iifdaYOg - C:\WINDOWS\SYSTEM32\iifdaYOg.dll

backup-20080419-204847-167 O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys

R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows ® 2000 DDK provider; OSA int15 Driver>

R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 int15.sys - c:\program files\acer\erecovery\int15.sys

S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>

R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-04-09 13:03:54 274 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job

2008-04-09 13:03:50 396 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

2008-04-04 19:20:40 398 --a------ C:\WINDOWS\Tasks\Easy Onderhoud.job

-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 12:44:49 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-04-20 11:41:49 0 d-------- C:\Documents and Settings\Gast\Application Data\Jasc Software Inc

2008-04-20 09:05:50 0 d-------- C:\cmdcons

2008-04-20 09:02:01 68096 --a------ C:\WINDOWS\zip.exe

2008-04-20 09:02:01 49152 --a------ C:\WINDOWS\VFind.exe

2008-04-20 09:02:01 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-04-20 09:02:01 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-04-20 09:02:01 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-04-20 09:02:01 98816 --a------ C:\WINDOWS\sed.exe

2008-04-20 09:02:01 80412 --a------ C:\WINDOWS\grep.exe

2008-04-20 09:02:01 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-04-20 08:53:09 0 d-------- C:\VundoFix Backups

2008-04-19 20:38:21 0 dr-h----- C:\Documents and Settings\Tibbout\Onlangs geopend

2008-04-19 20:24:03 0 dr-h----- C:\Documents and Settings\Cedric\Onlangs geopend

2008-04-19 19:54:54 0 dr-h----- C:\$VAULT$.AVG

2008-04-19 19:33:06 0 d-------- C:\Documents and Settings\All Users\Application Data\EarMaster

2008-04-18 18:37:54 0 d-------- C:\Documents and Settings\Cedric\Incomplete

2008-04-18 18:37:21 0 d-------- C:\Documents and Settings\Cedric\Application Data\FrostWire

2008-04-18 18:36:37 0 d-------- C:\Documents and Settings\Cedric\Application Data\Ipswitch

2008-04-13 14:37:15 0 d-------- C:\Documents and Settings\Gast\Application Data\Ipswitch

2008-04-10 17:33:28 0 d-------- C:\Restoration

2008-04-09 13:03:48 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Uniblue

2008-04-09 13:03:16 0 d-------- C:\Program Files\Uniblue

2008-04-06 12:35:30 0 d-------- C:\Program Files\Poke

2008-04-01 19:08:56 0 d-------- C:\Documents and Settings\Tibbout\Application Data\CoreFTP

2008-04-01 19:07:42 0 d-------- C:\Program Files\CoreFTP

2008-04-01 17:27:25 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Ipswitch

2008-04-01 17:26:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch

2008-04-01 17:26:44 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>

2008-04-01 17:26:34 0 d-------- C:\Program Files\Ipswitch

2008-04-01 17:25:50 0 d-------- C:\Documents and Settings\Tibbout\Application Data\InstallShield

2008-04-01 11:11:13 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Malwarebytes

2008-04-01 11:11:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-01 11:06:56 0 d-------- C:\Documents and Settings\Tibbout\Application Data\uk.co.planetside

2008-04-01 10:26:33 0 d-------- C:\Program Files\Terragen

2008-04-01 10:15:26 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Dexpot

2008-04-01 10:00:27 73728 --a------ C:\WINDOWS\system32\GkSui18.EXE

2008-03-29 12:39:54 0 d-------- C:\Program Files\Rockstar Games

2008-03-22 23:21:53 0 d-------- C:\Program Files\InterActual

2008-03-22 22:39:03 5767168 --a------ C:\Documents and Settings\Tibbout\ntuser.dat

2008-03-22 21:11:41 0 d-------- C:\Program Files\BPK

2008-03-22 10:07:56 0 d-------- C:\Documents and Settings\Cedric\Application Data\AdobeUM

-- Find3M Report ---------------------------------------------------------------

2008-04-20 13:41:05 0 d-------- C:\Documents and Settings\Tibbout\Application Data\AVG7

2008-04-20 08:39:06 0 d-------- C:\Program Files\LogMeIn

2008-04-14 19:04:48 0 d-------- C:\Documents and Settings\Tibbout\Application Data\FrostWire

2008-04-12 18:49:40 504482 --a------ C:\WINDOWS\system32\perfh013.dat

2008-04-12 18:49:40 88852 --a------ C:\WINDOWS\system32\perfc013.dat

2008-04-11 19:45:39 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-04-09 18:16:00 0 d-------- C:\Program Files\FrostWire

2008-04-09 13:46:12 0 d-------- C:\Program Files\AvRack

2008-04-04 14:58:02 0 d-------- C:\Program Files\Opera

2008-04-01 14:27:38 0 d-------- C:\Program Files\Java

2008-03-15 15:29:17 0 d-------- C:\Program Files\DAEMON Tools Lite

2008-03-15 15:15:09 0 d-------- C:\Documents and Settings\Tibbout\Application Data\DAEMON Tools

2008-03-15 14:21:21 0 d-------- C:\Program Files\2 Pic

2008-03-15 14:17:20 0 d-------- C:\Documents and Settings\Tibbout\Application Data\VSRevoGroup

2008-03-14 22:45:17 0 d-------- C:\Program Files\directx

2008-03-12 16:25:11 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>

2008-03-11 19:53:39 0 d-------- C:\Program Files\Auslogics

2008-03-11 19:28:30 0 d-------- C:\Program Files\IObit

2008-03-11 19:15:19 0 d-------- C:\Program Files\VS Revo Group

2008-03-11 18:44:08 0 d-------- C:\Program Files\YouTube Downloader

2008-03-11 18:40:56 0 d-------- C:\Documents and Settings\Tibbout\Application Data\NCH Swift Sound

2008-03-11 18:40:40 0 d-------- C:\Program Files\Telemeter 3.0

2008-03-11 18:40:24 0 d-------- C:\Program Files\NCH Swift Sound

2008-03-11 18:39:07 0 d-------- C:\Program Files\NCH Software

2008-03-11 18:38:23 0 d-------- C:\Program Files\Octoshape Streaming Services

2008-03-07 22:53:10 0 d-------- C:\Program Files\MessengerDiscovery 2

2008-03-03 19:39:26 0 d-------- C:\Program Files\CCleaner

2008-03-03 11:05:00 0 d-------- C:\Program Files\MSN Messenger

2008-03-02 09:54:49 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Auslogics

2008-02-26 21:09:58 0 d-------- C:\Program Files\Windows Live

2008-02-26 21:08:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller

2008-02-26 19:16:02 0 d-------- C:\Program Files\Windows Live Safety Center

2008-02-26 17:59:35 0 d-------- C:\Program Files\Common Files

2008-02-25 22:14:36 335 --a------ C:\WINDOWS\nsreg.dat

2008-02-25 22:14:36 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Mozilla

2008-02-25 22:13:07 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Easy Computing

2008-02-25 20:59:57 0 d-------- C:\Program Files\Easy Computing

2008-02-22 20:02:58 0 d-------- C:\Program Files\AviSynth 2.5

2008-02-21 20:25:38 0 d-------- C:\Program Files\Common Files\Adobe

2008-02-20 19:56:51 0 d-------- C:\Documents and Settings\Tibbout\Application Data\Adobe

2008-02-13 15:13:18 3309 --a------ C:\WINDOWS\system32\chordcomposer_en.dat

2008-02-10 17:12:42 262144 --a------ C:\WINDOWS\system32\default_user_class.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [17/04/2008 16:58]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=1 (0x1)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegedit"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=1 (0x1)

"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=0 (0x0)

"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"=0 (0x0)

"NoMovingBands"=0 (0x0)

"NoCloseDragDropBands"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoToolbarsOnTaskbar"=0 (0x0)

"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microtek Scanner Finder.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microtek Scanner Finder.lnk

backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Utility Tray.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Utility Tray.lnk

backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoostSpeed]

"C:\Program Files\Auslogics\AusLogics BoostSpeed\boostspeed.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisableMouse]

Rundll32.exe Mouse,Disable

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnableMouse]

Rundll32.exe Mouse,Enable

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HideWin]

C:\DOCUME~1\Tibbout\LOCALS~1\Temp\Tijdelijke map 3 voor hidewin.zip\hidewin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

C:\Program Files\Launch Manager\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Arcade\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\WINDOWS\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Telemeter 3.0]

"C:\Program Files\Telemeter 3.0\telemeter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AVGEMS"=2 (0x2)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

-- End of Deckard's System Scanner: finished at 2008-04-20 17:50:01 ------------

Hoi Tibzie,

Ik zie geen actieve spy/malware op je systeem.

1. Clean de Cache and Cookies in IE:

° Sluit Internet Explorer.

° Ga naar Configuratiescherm > Internet Opties > tab Algemeen

° Bij browsergeschiedenis klik je op Verwijderen, dit zal een nieuw venster openen.

° Druk op volgende om te verwijderen en klik daarna op ok:

° Bestanden verwijderen.

° Cookies verwijderen.

° Geschiedenis verwijderen.

Clean de Cache and Cookies in Firefox (In geval Firefox geïnstalleerd is):

° Ga naar Extra > Opties.

° Klik Privacy in het menu.

° Klik op de knop Nu wissen onderaan. Een nieuw venster zal openen.

° Vink alles aan bij 'de volgende gegevens nu wissen.'

° Klik op de Privégegevens nu opruimen knop.

Clean andere Temporary files + Prullenbak:

° Ga naar start > uitvoeren en typ: cleanmgr en klik ok.

° Laat het je systeem scannen op bestanden die moeten verwijderd worden.

° Zorg er wel voor dat je daar enkel maar 'tijdelijke bestanden', 'tijdelijke internetbestanden' en 'prullenbak' staan aangevinkt.

° Klik daarna op ok.

2. Start HijackThis en kies voor Do a system scan only en plaats alléén een vinkje voor de volgende regels:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Sluit alle open vensters(behalve HijackThis), klik daarna op Fix checked en bevestig het door in het volgende scherm op Ja te klikken.

3. Je mag alle gebruikte tools en mappen verwijderen.

Combofix verwijder je op volgende wijze:

Ga naar start > uitvoeren en kopieer en plak volgende command in het veld:

ComboFix /u

Zorg ervoor dat er dus een spatie is tussen Combofix en /

Daarna klik enter.

Dit zal Combofix verwijderen+gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en reset je Systeemherstel opnieuw.

4. Wel zie ik een paar Policies die geplaatst zijn, ben je van deze op de hoogte? Heb je die zelf laten plaatsen door een tool?

Weet maar iets te vertellen.

Dan wil ik je file associaties eens nazien.

Download DAFT naar je Bureaublad

Dubbelklik op het groene daft.exe icoon.

Lees de disclaimer en klik op OK.

Klik op de Scan knop.

Vink (indien foutieve associaties worden aangetroffen) alle weergegeven items aan.

Klik op de Fix knop.

Herhaal de scan en klik op "Save log".

Standaard wordt dit op je Bureaublad opgeslagen als daft.txt. Post deze log.

En tenslotte wil ik ook eens je MBR controleren.

Download Mbr.exe naar je Bureaublad.

Dubbeklik er op om te runnen en post het logje met de naam mbr.log in je volgende antwoord.

Succes,

Xeno

gebruik opera en heb nu ook alles opgeruimd.

Wat bedoelt u met policies?

DAFT heeft niks gevonden

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Hoi Tibzie,

So far so good, wel ik zie deze:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=1 (0x1)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]

"DisableRegedit"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=1 (0x1)

"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]

"LinkResolveIgnoreLinkInfo"=0 (0x0)

"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]

"NoBandCustomize"=0 (0x0)

"NoMovingBands"=0 (0x0)

"NoCloseDragDropBands"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoToolbarsOnTaskbar"=0 (0x0)

"LinkResolveIgnoreLinkInfo"=0 (0x0)

Laat ons duidelijk zijn, je PC is clean, je file associaties zijn OK, en geen rootkit!

Geef maar een sein, anders laten we die policies verwijderen.

Groetjes,

Xeno

Hoi Tibzie,

Kunnen we deze dan als opgelost beschouwen?

Groetjes,

Xeno

Ja

sorry ik had het voorlaatste bericht niet ontvangen.

Ik heb ook geen verdere hinder meer ondervonden.