Sjmur

1 juni 2011

Gedaan

CCcleaner gebruik ik overigens al regelmatig

1 juni 2011

Het ziet er naar uit dat hij weer goed is(?)

31 mei 2011

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100

Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Databaseversie: 6734

Windows 6.0.6000

Internet Explorer 7.0.6000.16890

31-5-2011 20:37:35

mbam-log-2011-05-31 (20-37-35).txt

Scantype: Snelle scan

Objecten gescand: 150889

Verstreken tijd: 11 minuut/minuten, 41 seconde(n)

Geheugenprocessen geïnfecteerd: 0

Geheugenmodulen geïnfecteerd: 0

Registersleutels geïnfecteerd: 1

Registerwaarden geïnfecteerd: 0

Registerdata geïnfecteerd: 0

Mappen geïnfecteerd: 0

Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:

HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

Registerdata geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

Mappen geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:

(Geen kwaadaardige objecten gedetecteerd)

HiJack:

[ATTACH]11082[/ATTACH]

hijackthis.log

31 mei 2011

Ah via de opgezochte map (C: etc..) kon ik hem nu wel als administrator runnen, dankjewel

bijgevoegd de log:

[ATTACH]11081[/ATTACH]

HiJackkladblok.txt

31 mei 2011

Beste pc-helpforum,

Mijn laptop doet de laatste tijd een beetje raar en ik wilde vragen of jullie aan de hand van het HiJack log kunnen zien of er ergens iets niet klopt en zoja, wat ik moet verwijderen.

(kan hem niet als 'administrator' runnen dus hoop dat het zo ook goed is)

Alvast enorm bedankt

[ATTACH]11078[/ATTACH]

HiJack.log

26 september 2010

IK had voor combofix al geen meldingen meer maar die askdisbar (ofzoiets) die kon ik steeds niet vinden om te verwijderen dus ik neem aan dat die nu wel verwijderd is

Moet ik nu nog meer dingen doen?

(combofix ed. verwijderen?)

In ieder geval al heel erg bedankt!

26 september 2010

Gelukt

(Heb overigens combofix weer in de veilige modus moeten laten lopen want hij deed het weer niet in de normale modus)

Combofix logje:

ComboFix 10-09-24.05 - 29416 26-09-2010 14:18:14.2.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2043.1730 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Administrator.ACERTM\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Administrator.ACERTM\Bureaublad\CFScript.txt

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator.ACERTM\Local Settings\Application Data\qeicjqlbk

c:\program files\AskBarDis

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-08-26 to 2010-09-26 ))))))))))))))))))))))))))))))

.

2010-09-26 09:43 . 2010-09-26 09:43 -------- d-----r- c:\documents and settings\LocalService\Favorieten

2010-09-26 09:43 . 2010-09-26 09:43 -------- d--h--r- c:\documents and settings\LocalService\Onlangs geopend

2010-09-26 09:43 . 2010-09-26 09:43 -------- d-----w- c:\documents and settings\LocalService\Menu Start

2010-09-26 09:43 . 2010-09-26 09:43 -------- d-----w- c:\documents and settings\LocalService\Bureaublad

2010-09-24 21:19 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-12 12:38 . 2010-09-24 21:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-12 12:26 . 2010-09-12 12:26 388096 ----a-r- c:\documents and settings\Administrator.ACERTM\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-09-12 12:26 . 2010-09-12 12:26 -------- d-----w- c:\program files\Trend Micro

2010-09-12 10:29 . 2010-09-12 10:29 -------- d-sh--w- c:\windows\ftpcache

2010-09-11 20:43 . 2008-04-13 22:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-09-11 20:43 . 2008-04-13 22:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-09-11 20:43 . 2008-04-13 22:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-09-11 20:43 . 2008-04-13 22:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-09-11 20:43 . 2008-04-13 22:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-09-11 20:43 . 2008-04-13 22:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-26 12:12 . 2008-12-02 15:51 -------- d-----w- c:\documents and settings\Administrator.ACERTM\Application Data\SoftGrid Client

2010-09-26 12:11 . 2009-04-29 13:57 -------- d-----w- c:\documents and settings\Administrator.ACERTM\Application Data\DNA

2010-09-26 10:37 . 2009-04-29 13:57 -------- d-----w- c:\program files\DNA

2010-09-25 10:06 . 2008-12-01 13:50 -------- d-----w- c:\program files\Launch Manager

2010-09-24 17:27 . 2009-10-12 17:30 -------- d-----w- c:\documents and settings\Administrator.ACERTM\Application Data\Microgaming

2010-09-16 15:36 . 2008-12-19 12:16 -------- d-----w- c:\documents and settings\Administrator.ACERTM\Application Data\U3

2010-09-12 12:17 . 2004-08-04 11:00 726566 ----a-w- c:\windows\system32\perfh013.dat

2010-09-12 12:17 . 2004-08-04 11:00 206444 ----a-w- c:\windows\system32\perfc013.dat

2010-09-12 01:57 . 2010-07-20 18:19 -------- d-----w- c:\program files\Microsoft Silverlight

2010-08-31 11:56 . 2009-04-29 13:57 -------- d-----w- c:\program files\BitTorrent

2010-08-30 17:09 . 2009-04-29 13:57 -------- d-----w- c:\documents and settings\Administrator.ACERTM\Application Data\BitTorrent

2010-08-19 15:34 . 2008-12-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-09 08:37 . 2009-01-06 08:19 -------- d-----w- c:\program files\Foxit Software

2010-08-09 08:36 . 2009-01-06 09:32 -------- d-----w- c:\program files\Google

2010-08-04 17:41 . 2010-06-29 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-04 13:32 . 2008-12-01 15:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-01 07:51 . 2010-07-01 07:51 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2A6.tmp.exe

2010-06-30 12:33 . 2008-04-14 20:32 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-29 21:48 . 2010-06-29 21:48 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb296.tmp.exe

2010-06-28 16:12 . 2010-06-28 16:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb27E.tmp.exe

.

------- Sigcheck -------

[-] 2008-11-21 . D9B2AA9ADACDE33FF18A010ADF2EBF18 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-17 323392]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-24 39408]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-23 2938552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2008-08-05 53248]

"RTHDCPL"="RTHDCPL.EXE" [2008-08-05 16862208]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-08-05 858632]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-05 1028096]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-05 13541376]

"nwiz"="nwiz.exe" [2008-08-05 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-05 86016]

"NGClient"="c:\program files\Symantec\Ghost\ngctw32.exe" [2005-11-28 440000]

"SoftGridTray"="c:\program files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe" [2007-12-13 316440]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 144384]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-10 149280]

"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-02-05 454400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]

Sophos AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2010-1-11 429096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoPublishingWizard"= 0 (0x0)

"NoWebServices"= 0 (0x0)

"NoOnlinePrintsWizard"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logoff\0\0]

"Script"=\\edu.sintlucas.nl\NETLOGON\DiscoPrinters.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logoff\1\0]

"Script"=\\edu.sintlucas.nl\NETLOGON\llogoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logon\0\0]

"Script"=\\edu.sintlucas.nl\netlogon\logon_script.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logon\0\1]

"Script"=\\edu.sintlucas.nl\netlogon\connect_printer.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logon\0\2]

"Script"=regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logon\1\0]

"Script"=\\edu.sintlucas.nl\NETLOGON\llogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-839522115-3611\Scripts\Logon\2\0]

"Script"=regedit.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"57349:TCP"= 57349:TCP:Pando Media Booster

"57349:UDP"= 57349:UDP:Pando Media Booster

R0 GhMon;GhostMountMonitor - Boot Phase Driver;c:\windows\system32\drivers\GhMon.sys [28-11-2005 18:35 6560]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 20:19 13592]

S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [28-11-2005 18:36 199264]

S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [1-12-2008 17:48 152192]

S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [1-12-2008 17:48 24064]

S2 EQSharedEngine;EQ Shared Engine;c:\program files\Equitrac\Express\Client\EQSharedEngine.exe [19-2-2007 16:44 1521192]

S2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [9-12-2006 20:04 128832]

S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;c:\windows\system32\drivers\ghpcw2k.sys [28-11-2005 18:36 199264]

S2 gupdate1ca701517d126cc;Google Updateservice (gupdate1ca701517d126cc);c:\program files\Google\Update\GoogleUpdate.exe [28-11-2009 12:25 133104]

S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [5-2-2010 17:28 742144]

S2 NGClient;Symantec Ghost Win32 Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [28-11-2005 19:26 440000]

S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [11-1-2010 13:09 104488]

S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [11-1-2010 13:10 93736]

S2 sftlist;SoftGrid Client;c:\program files\Softricity\SoftGrid for Windows Desktops\sftlist.exe [13-12-2007 20:02 549912]

S3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [28-2-2007 10:38 91008]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [20-11-2008 13:50 80784]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15-1-2010 14:49 227232]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1-12-2008 15:22 39072]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [11-1-2010 13:09 23928]

S3 sftfs;sftfs;c:\program files\Softricity\SoftGrid for Windows Desktops\drivers\SftFSXP.sys [13-12-2007 20:02 565784]

S3 sftplay;sftplay;c:\program files\Softricity\SoftGrid for Windows Desktops\drivers\sftplayxp.sys [13-12-2007 20:01 149144]

S3 sftvol;sftvol;c:\program files\Softricity\SoftGrid for Windows Desktops\drivers\SftVolXP.sys [13-12-2007 20:01 15896]

S3 sftvsa;SoftGrid Virtual Service Agent;c:\program files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe [13-12-2007 20:02 205848]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [1-12-2008 17:52 14976]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\aetsprov]

2008-06-02 08:32 81920 ----a-w- c:\windows\system32\aetsprov.dll

.

Inhoud van de 'Gedeelde Taken' map

2010-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 10:25]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 10:25]

2010-09-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-09-25 c:\windows\Tasks\New scan.job

- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2010-01-11 11:08]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.nl/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR

IE: Add to Windows &Live Favorites - Welcome to Windows Live

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll

DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://cas.edu.sintlucas.nl/auth/taweb.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab

DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://cas.edu.sintlucas.nl/auth/CCALogin.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-09-26 14:21

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-329068152-220523388-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,61,ee,4c,ad,73,02,4a,ad,15,cd,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,61,ee,4c,ad,73,02,4a,ad,15,cd,\

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\aetgina1.dll

.

Voltooingstijd: 2010-09-26 14:22:35

ComboFix-quarantined-files.txt 2010-09-26 12:22

ComboFix2.txt 2010-09-26 10:42

Pre-Run: 24.227.610.624 bytes beschikbaar

Post-Run: 24.272.211.968 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D5332A0E7E44F3E9FA20F171435D6859

HiJack logje:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:24:14, on 26-9-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe

O4 - HKLM\..\Run: [softGridTray] C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe /autostart

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe

O4 - Global Startup: Sophos AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - Welcome to Windows Live

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O8 - Extra context menu item: Verzenden naar &Bluetooth-apparaat... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Unibet - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\unibetpokerMPP\MPPoker.exe (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.bio.uu.nl/~cpio/modules/awswaxd.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab

O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://cas.edu.sintlucas.nl/auth/taweb.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228218961597

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab

O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://cas.edu.sintlucas.nl/auth/CCALogin.CAB

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = edu.sintlucas.nl

O17 - HKLM\Software\..\Telephony: DomainName = edu.sintlucas.nl

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = edu.sintlucas.nl

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = edu.sintlucas.nl

O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Express\Client\EQSharedEngine.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updateservice (gupdate1ca701517d126cc) (gupdate1ca701517d126cc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe

O23 - Service: Symantec Ghost Win32 Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe

O23 - Service: SoftGrid Virtual Service Agent (sftvsa) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--

End of file - 10450 bytes

26 september 2010

Gelukt

ComboFix 10-09-24.05 - 29416 26-09-2010 11:43:12.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2043.1515 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Administrator.ACERTM\Bureaublad\ComboFix.exe

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator.ACERTM\Application Data\.#

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\Config.xml

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\db\Aliases.dbs

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\db\Sites.dbs

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\dwld\WhiteList.xip

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\report\aggr_storage.xml

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\report\send_storage.xml

c:\documents and settings\Administrator.ACERTM\Application Data\ShoppingReport\cs\res1\WhiteList.dbs

c:\documents and settings\Administrator.ACERTM\Launcher.exe

c:\documents and settings\Administrator.ACERTM\Menu Start\Programma's\Security Tool.lnk

c:\documents and settings\Administrator.ACERTM\System

c:\documents and settings\Administrator.ACERTM\System\win_qs8.jqx

c:\program files\ShoppingReport

Besmet exemplaar van c:\windows\system32\drivers\dmload.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - Kitty had a snack