David Dierickx

Checkdisk heeft het opgelost Nu start hij op in zo een 2 à 3 minuten

Vipre uitgevoerd blijft hetzelfde qua opstarttijd. :-( David

Ik heb ook Spybot eens uitgevoerd Deze heeft 2 entries gevonden logSpybot.JPG gratis downloaden vanaf Uploading.com Dr Web CureIt heb ik ook uitgevoerd daarna emailcatcher.exe;C:\Program Files;Tool.MassMail.3;Verplaatst.;pslist.exe;C:\ProgramFiles;Program.PsList.126;;A0005334.exe;C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4;Tool.MassMail.3;Verplaatst.; mvg David logSpybot.bmp

En voila scan voltooid Heeft bijna 8 uur geduurd. Log zoals gevraagd (Er zouden trojan horse opzitten) -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, November 11, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, November 10, 2010 12:49:57 Records in database: 4251104 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ G:\ Scan statistics: Objects scanned: 146012 Threats found: 1 Infected objects found: 4 Suspicious objects found: 0 Scan duration: 07:43:23 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0000\4EDDD8EC.VBN Infected: Trojan.JS.Iframe.eu 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0001\4EDDD8FE.VBN Infected: Trojan.JS.Iframe.eu 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0002\4EDDD913.VBN Infected: Trojan.JS.Iframe.eu 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0003\4EDDD924.VBN Infected: Trojan.JS.Iframe.eu 1 Selected area has been scanned. mvg David

jammerlijk genoeg nog rond de 15 minuten mvg David

Ok dat is gelukt Hier is de log van ComboFix ComboFix 10-11-07.07 - dierda01 07/11/2010 20:58:07.5.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.743 [GMT 1:00] Running from: c:\documents and settings\dierda01\Desktop\ComboFix.exe AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 ))))))))))))))))))))))))))))))) . 2010-11-04 19:16 . 2010-11-04 19:16 -------- d-----w- c:\program files\Rittal 2010-11-02 10:28 . 2010-11-02 10:28 388096 ----a-r- c:\documents and settings\dierda01\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-11-01 19:28 . 2010-11-01 19:28 -------- d-----w- c:\documents and settings\dierda01\Application Data\AVG10 2010-11-01 19:26 . 2010-11-01 19:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-01 19:24 . 2010-11-01 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-01 19:19 . 2010-11-01 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-01 19:01 . 2010-11-01 19:01 -------- d-----w- c:\program files\CCleaner 2010-11-01 18:00 . 2010-11-01 18:03 -------- d-----w- c:\program files\TweakNow RegCleaner 2010-11-01 18:00 . 2010-11-01 18:00 -------- d-----w- c:\documents and settings\dierda01\Application Data\TweakNow RegCleaner 2010-10-14 06:49 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-14 06:49 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll 2010-10-14 06:49 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-14 06:49 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-25 11:49 . 2010-03-19 13:43 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-10-25 11:49 . 2010-04-21 12:32 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-22 14:00 . 2009-07-24 08:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-09-22 14:00 . 2009-07-24 08:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-09-18 10:23 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 21:32 . 2010-09-22 14:04 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-09-10 05:58 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 08:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 08:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 08:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2004-08-04 08:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-17 07:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 08:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 08:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2007-03-30 11:34 . 2007-08-03 13:06 25263144 ------w- c:\program files\Skype.exe 2006-12-11 19:58 . 2007-08-03 13:06 826936 ------w- c:\program files\blacklightrootkit.exe 2006-11-12 12:23 . 2007-08-03 13:06 174163 ------w- c:\program files\utorrent.exe 2006-11-09 06:29 . 2007-08-03 13:06 2198320 ------w- c:\program files\Procmon.exe 2006-11-01 12:07 . 2007-08-03 13:06 3623736 ------w- c:\program files\procexp.exe 2006-11-01 12:07 . 2007-10-31 12:04 363320 ------w- c:\program files\portmon.exe 2006-09-23 20:05 . 2007-08-03 13:06 340992 ------w- c:\program files\FolderSize.exe 2006-08-09 10:56 . 2007-08-03 13:06 1413120 ------w- c:\program files\WinsockXPFix.exe 2006-07-10 12:22 . 2007-08-03 13:06 398912 ------w- c:\program files\autoruns.exe 2006-07-10 12:21 . 2007-08-03 13:06 294912 ------w- c:\program files\autorunsc.exe 2006-06-27 22:05 . 2007-08-03 13:06 262144 ------w- c:\program files\xp-AntiSpy.exe 2006-03-24 10:33 . 2007-08-03 13:06 69632 ------w- c:\program files\Contig.exe 2006-02-18 01:50 . 2007-08-03 13:06 1024000 ------w- c:\program files\vncviewer.exe 2006-02-17 20:06 . 2007-08-03 13:06 12411150 ------w- c:\program files\YamiPod.exe 2006-02-01 15:02 . 2007-08-03 13:06 237651 ------w- c:\program files\RootkitRevealer.exe 2006-01-11 20:31 . 2007-08-03 13:06 992399 ------w- c:\program files\JHymn.exe 2005-09-20 20:45 . 2007-08-03 13:06 49664 ------w- c:\program files\WMDecode.exe 2005-07-14 04:06 . 2007-08-03 13:06 98361 ------w- c:\program files\pagedfrg.exe 2005-06-30 01:07 . 2007-08-03 13:06 181776 ------w- c:\program files\handle.exe 2005-05-25 16:10 . 2007-08-03 13:06 784896 ------w- c:\program files\DoubleKiller.exe 2005-04-20 11:07 . 2007-08-03 13:06 106496 ------w- c:\program files\Tcpview.exe 2005-04-13 13:32 . 2007-08-03 13:06 186368 ------w- c:\program files\LSPFix.exe 2005-04-09 20:12 . 2007-08-03 13:06 32768 ------w- c:\program files\PPSFix.exe 2005-04-04 11:15 . 2007-08-03 13:06 53248 ------w- c:\program files\whois.exe 2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\vnc-4_1_1_viewer.exe 2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\realvncviewer.exe 2005-03-21 14:03 . 2007-08-03 13:06 345600 ------w- c:\program files\SafeXP.exe 2005-02-20 09:34 . 2007-08-03 13:06 865792 ------w- c:\program files\ExplorerXP.exe 2005-02-16 09:06 . 2007-08-03 13:06 218112 ------w- c:\program files\HijackThis.exe 2005-02-16 07:57 . 2007-08-03 13:06 45056 ------w- c:\program files\streams.exe 2005-02-13 12:43 . 2007-08-03 13:06 1013211 ------w- c:\program files\tv.exe 2005-02-01 12:48 . 2007-08-03 13:06 94208 ------w- c:\program files\WINOBJ.EXE 2005-01-28 21:23 . 2007-08-03 13:06 1036800 ------w- c:\program files\filmerit_21en.exe 2004-12-21 07:23 . 2007-08-03 13:06 65536 ------w- c:\program files\LISTDLLS.exe 2004-12-08 13:26 . 2007-08-03 13:06 49152 ------w- c:\program files\junction.exe 2004-12-01 15:27 . 2007-08-03 13:06 86016 ------w- c:\program files\pslist.exe 2004-11-29 16:43 . 2007-08-03 13:06 81920 ------w- c:\program files\sherlock2.0.exe 2004-11-21 07:26 . 2007-08-03 13:06 331776 ------w- c:\program files\emailcatcher.exe 2004-11-05 11:05 . 2007-08-03 13:06 81920 ------w- c:\program files\logonsessions.exe 2004-10-03 07:15 . 2007-08-03 13:06 253952 ------w- c:\program files\LockedCopy.exe 2004-09-22 14:46 . 2007-08-03 13:06 741421 ------w- c:\program files\Bginfo.exe 2004-09-15 09:39 . 2007-08-03 13:06 585728 ------w- c:\program files\OEView.exe 2004-08-26 12:04 . 2007-08-03 13:06 159795 ------w- c:\program files\ShareEnum.exe 2004-08-19 17:18 . 2007-08-03 13:06 343040 ------w- c:\program files\OptimumJPEG.exe 2004-08-08 14:10 . 2007-08-03 13:06 94208 ------w- c:\program files\tcpvcon.exe 2004-07-16 08:39 . 2007-08-03 13:06 135168 ------w- c:\program files\tweakol2003.exe 2004-06-22 13:14 . 2007-08-03 13:06 118784 ------w- c:\program files\Diskmon.exe 2004-03-20 23:47 . 2007-08-03 13:06 94208 ------w- c:\program files\tweakol.exe 2004-03-19 23:20 . 2007-08-03 13:06 98304 ------w- c:\program files\DetachOL.exe 2004-02-27 11:58 . 2007-08-03 13:06 45056 ------w- c:\program files\DriveZ.exe 2004-01-29 23:10 . 2007-08-03 13:06 208896 ------w- c:\program files\ConfigInspector.exe 2003-12-30 12:33 . 2007-08-03 13:06 253952 ------w- c:\program files\md5.exe 2003-12-20 19:57 . 2007-08-03 13:06 224256 ------w- c:\program files\fentun.exe 2003-07-17 10:19 . 2007-08-03 13:06 5632 ------w- c:\program files\wol.exe 2003-06-18 10:49 . 2007-08-03 13:06 406528 ------w- c:\program files\UnknownDeviceIdentifier.exe 2003-04-01 16:08 . 2007-08-03 13:06 16384 ------w- c:\program files\IP_Agent.exe 2003-03-20 15:43 . 2007-08-03 13:06 73728 ------w- c:\program files\DiskCheckup.exe 2003-02-21 07:31 . 2007-08-03 13:06 659456 ------w- c:\program files\VCD_PLAY.EXE 2003-02-10 09:07 . 2007-08-03 13:06 53028 ------w- c:\program files\netio.exe 2002-03-25 08:52 . 2007-08-03 13:06 644976 ------w- c:\program files\BootVis.exe 2002-03-19 15:30 . 2007-08-03 13:06 216576 ------w- c:\program files\PowerCalc.exe 2002-01-02 13:12 . 2007-08-03 13:06 410624 ------w- c:\program files\DNSQuery.exe 2001-08-23 23:00 . 2007-08-03 13:06 90112 ------w- c:\program files\PlacesBar Editor.exe 2001-03-04 16:01 . 2007-08-03 13:06 13824 ------w- c:\program files\IP2.exe 2001-02-21 19:03 . 2007-08-03 13:06 35840 ------w- c:\program files\base64.exe 2000-11-16 01:01 . 2007-08-03 13:06 210944 ------w- c:\program files\putty.exe 2000-07-29 06:20 . 2007-08-03 13:06 188416 ------w- c:\program files\TDIMON.EXE 2000-06-14 09:30 . 2007-08-03 13:06 872448 ------w- c:\program files\EZSMART.exe 1999-04-12 11:15 . 2007-08-03 13:06 236032 ------w- c:\program files\BINCHUNK.EXE 1998-08-02 22:53 . 2007-08-03 13:06 287232 ------w- c:\program files\syslog_server.exe 1998-05-10 16:43 . 2007-08-03 13:06 483840 ------w- c:\program files\SFV32W.exe 1997-07-09 11:53 . 2007-08-03 13:06 40960 ------w- c:\program files\MAPIMAIL.EXE 1997-04-04 15:04 . 2007-08-03 13:06 513536 ------w- c:\program files\TFTPd.exe 1996-11-20 16:35 . 2007-08-03 13:06 340480 ------w- c:\program files\hexedit.exe 1996-10-07 07:16 . 2007-08-03 13:06 114176 ------w- c:\program files\wsttcp.exe 1996-07-28 18:58 . 2007-08-03 13:06 14305 ------w- c:\program files\rawrite.exe 1996-07-24 18:30 . 2007-08-03 13:06 90144 ------w- c:\program files\WINGIF.EXE 2009-12-25 10:12 203776 --sh--w- c:\windows\system32\unrar.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-20 115560] "Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-02-11 70024] "Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-02-22 858672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\0\0] "Script"=EnvVar.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\1\0] "Script"=IAEMACT-Logon.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\0\0] "Script"=EnvVar.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\1\0] "Script"=IAEMACT-Logon.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2007-01-05 16:36 872448 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\CBA\\pds.exe"= "c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"= "%windir%\\system32\\msgsys.exe"= "c:\\Program Files\\Foxit Software\\PDFEdit.exe"= "c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "445:TCP"= 445:TCP:@xpsp2res.dll,-22005 "137:UDP"= 137:UDP:@xpsp2res.dll,-22001 "138:UDP"= 138:UDP:@xpsp2res.dll,-22002 "67:TCP"= 67:TCP:LANDesk® PXE TCP Port "67:UDP"= 67:UDP:LANDesk® PXE UDP Port "9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port "9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [22/02/2010 13:32 224816] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608] S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/11/2009 12:32 155648] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384] S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [21/06/2009 07:59 3584] S2 glpntdrv;glpntdrv;\??\c:\windows\system32\drivers\glpntdrv.sys --> c:\windows\system32\drivers\glpntdrv.sys [?] S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [24/02/2010 15:11 139264] S2 MSSQL$SQL_CTSELECT;SQL Server (SQL_CTSELECT);c:\program files\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 02:27 29262680] S2 Peakcan;Peakcan;c:\windows\system32\drivers\Peakcan.sys [11/09/2008 15:15 87904] S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [22/02/2010 13:33 649776] S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [22/02/2010 13:33 231984] S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [24/02/2010 15:11 385024] S2 SsfdcPp;Parallel Port Ssfdc Programmer Driver;c:\windows\system32\drivers\SsfdcPp.sys [30/09/2008 09:12 14604] S2 TcCam;TwinCAT CAM Server;c:\twincat\Driver\TCCam.sys [17/04/2008 13:24 192563] S2 TcEventLogger;TcEventLogger;c:\twincat\EventLogger\TcEventLogger.exe [17/04/2008 13:24 249932] S2 TcIo;TwinCAT IO Server;c:\twincat\Driver\TcIo.sys [17/04/2008 13:24 1154048] S2 TcPlc;TwinCAT IEC1131 Server;c:\twincat\Driver\TcPlc.sys [17/04/2008 13:24 390709] S2 TcRouter;TwinCAT Router Server;c:\twincat\Driver\TCRouter.sys [17/04/2008 13:24 186880] S2 TcRTime;TwinCAT Realtime Server;c:\twincat\Driver\TCRtime.sys [17/04/2008 13:24 138752] S2 TwinCAT System Service;TwinCAT System Service;c:\twincat\TCATSysSrv.exe [17/04/2008 13:24 622652] S2 VERISMIC PowerManager Client;VERISMIC PowerManager Client;c:\program files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe [26/03/2010 08:29 424960] S2 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\ddcdrv.sys [13/08/2010 08:55 10240] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [16/03/2009 11:25 23888] S3 ctndrvd;CTNet NT Driver;c:\windows\system32\drivers\ctndrv2.sys [06/08/2007 08:01 6488] S3 CTNDRVWDM;CTNet Driver (WDM);c:\windows\system32\drivers\ctndrwdm.sys [03/10/2002 09:45 5145] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 11:08 102448] S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [08/01/2009 17:00 11904] S3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [08/01/2009 17:00 3328] S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [08/01/2009 17:00 3712] S3 pcan_usb;PCAN-USB Device Driver;c:\windows\system32\drivers\pcan_usb.sys [01/03/2003 01:42 201175] S3 R-ImageDisk;R-ImageDisk;\??\c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys --> c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys [?] S3 SMA_USBBus;SMA USB Serial Converter;c:\windows\system32\drivers\FTD2XX.sys [17/01/2010 18:05 29292] S3 TrioUSB;TrioUSB;c:\windows\system32\drivers\TrioUSB.sys [25/10/2007 09:11 9984] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 20:23 452136 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.skynet.be uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ uInternet Settings,ProxyServer = europroxy.emrsn.co.uk:80 uInternet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: ia.priv\lx-gbnew-app.controltechniques Trusted Zone: ia.priv\lx-gbnew-tst.controltechniques Trusted Zone: ia.priv\lx-gbnew-app.controltechniques . ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@ scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1212) c:\windows\system32\pssogina.dll c:\windows\system32\LogonAgentAPI.dll c:\windows\system32\msi.dll - - - - - - - > 'explorer.exe'(1300) c:\windows\system32\WININET.dll . Completion time: 2010-11-07 21:06:05 ComboFix-quarantined-files.txt 2010-11-07 20:06 Pre-Run: 43,820,736,512 bytes free Post-Run: 43,820,982,272 bytes free - - End Of File - - E6412A14EAEA5DAF8144CD7E6476D194 mvg David

Helaas geen log te vinden van ComboFix Computer start nog steeds traag op. Misschien wel iets sneller als vroeger. Laat ons zeggen 15 minuten nu mvg David

Ik heb de ComboFix uitgevoerd met het filetje CFScript.txt Alles uitgevoerd maar de Log wordt niet meer gemaakt, zelfs niet in safe mode. Heb daarna HijackThis uitgevoerd log Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 13:01:03, on 04/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\Prot_srv.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe C:\Program Files\LANDesk\Shared Files\residentagent.exe C:\Program Files\LANDesk\LDClient\LocalSch.EXE C:\WINDOWS\system32\CBA\pds.exe C:\Program Files\LANDesk\LDClient\tmcsvc.exe C:\PROGRA~1\LANDesk\LDClient\issuser.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\PROGRA~1\LANDesk\LDClient\collector.exe C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe c:\Program Files\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\pstartSr.exe C:\Program Files\LANDesk\LDClient\softmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\TwinCAT\EventLogger\TcEventLogger.exe C:\TwinCAT\TCATSysSrv.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\PROGRA~1\LANDesk\LDClient\rcgui.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Skynet.be - LE portail belge – DE Belgische portaalsite! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP® - Laptops, Desktop, Printers, Servers, and more R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = europroxy.emrsn.co.uk:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local> O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv O15 - Trusted Zone: http://lx-gbnew-tst.controltechniques.ia.priv O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv (HKLM) O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203422187479 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227783639184 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe O23 - Service: Pointsec - Check Point Software Tech Ltd - C:\WINDOWS\system32\Prot_srv.exe O23 - Service: Pointsec Service Start (Pointsec_start) - Check Point Software Tech Ltd - C:\WINDOWS\system32\pstartSr.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: TcEventLogger - Unknown owner - C:\TwinCAT\EventLogger\TcEventLogger.exe O23 - Service: TwinCAT System Service - BECKHOFF Automation - C:\TwinCAT\TCATSysSrv.exe O23 - Service: VERISMIC PowerManager Client - VERISMIC Software - C:\Program Files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe -- End of file - 10136 bytes

In veilige modus is het gelukt Hier is de log ComboFix 10-11-02.06 - dierda01 04/11/2010 0:12.3.2 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.743 [GMT 1:00] Running from: c:\documents and settings\dierda01\Desktop\ComboFix.exe AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Security ((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 ))))))))))))))))))))))))))))))) . 2010-11-03 07:33 . 2010-11-03 07:33 114688 ----a-w- c:\windows\system32\chg.exe 2010-11-02 10:28 . 2010-11-02 10:28 388096 ----a-r- c:\documents and settings\dierda01\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-11-01 19:28 . 2010-11-01 19:28 -------- d-----w- c:\documents and settings\dierda01\Application Data\AVG10 2010-11-01 19:26 . 2010-11-01 19:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-01 19:24 . 2010-11-01 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-01 19:19 . 2010-11-01 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-01 19:01 . 2010-11-01 19:01 -------- d-----w- c:\program files\CCleaner 2010-11-01 18:00 . 2010-11-01 18:03 -------- d-----w- c:\program files\TweakNow RegCleaner 2010-11-01 18:00 . 2010-11-01 18:00 -------- d-----w- c:\documents and settings\dierda01\Application Data\TweakNow RegCleaner 2010-10-14 06:49 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll 2010-10-14 06:49 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll 2010-10-14 06:49 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll 2010-10-14 06:49 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-25 11:49 . 2010-03-19 13:43 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-10-25 11:49 . 2010-04-21 12:32 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-22 14:00 . 2009-07-24 08:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-09-22 14:00 . 2009-07-24 08:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-09-18 10:23 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-04 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-04 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 21:32 . 2010-09-22 14:04 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-09-10 05:58 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-04 08:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-04 08:00 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2004-08-04 08:00 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 13:39 . 2004-08-04 08:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-04-17 07:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2004-08-04 08:00 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2004-08-04 08:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2007-03-30 11:34 . 2007-08-03 13:06 25263144 ------w- c:\program files\Skype.exe 2006-12-11 19:58 . 2007-08-03 13:06 826936 ------w- c:\program files\blacklightrootkit.exe 2006-11-12 12:23 . 2007-08-03 13:06 174163 ------w- c:\program files\utorrent.exe 2006-11-09 06:29 . 2007-08-03 13:06 2198320 ------w- c:\program files\Procmon.exe 2006-11-01 12:07 . 2007-08-03 13:06 3623736 ------w- c:\program files\procexp.exe 2006-11-01 12:07 . 2007-10-31 12:04 363320 ------w- c:\program files\portmon.exe 2006-09-23 20:05 . 2007-08-03 13:06 340992 ------w- c:\program files\FolderSize.exe 2006-08-09 10:56 . 2007-08-03 13:06 1413120 ------w- c:\program files\WinsockXPFix.exe 2006-07-10 12:22 . 2007-08-03 13:06 398912 ------w- c:\program files\autoruns.exe 2006-07-10 12:21 . 2007-08-03 13:06 294912 ------w- c:\program files\autorunsc.exe 2006-06-27 22:05 . 2007-08-03 13:06 262144 ------w- c:\program files\xp-AntiSpy.exe 2006-03-24 10:33 . 2007-08-03 13:06 69632 ------w- c:\program files\Contig.exe 2006-02-18 01:50 . 2007-08-03 13:06 1024000 ------w- c:\program files\vncviewer.exe 2006-02-17 20:06 . 2007-08-03 13:06 12411150 ------w- c:\program files\YamiPod.exe 2006-02-01 15:02 . 2007-08-03 13:06 237651 ------w- c:\program files\RootkitRevealer.exe 2006-01-11 20:31 . 2007-08-03 13:06 992399 ------w- c:\program files\JHymn.exe 2005-12-04 18:00 . 2007-08-03 13:06 79384 ------w- c:\program files\xpy.exe 2005-10-27 07:57 . 2007-08-03 13:06 36864 ------w- c:\program files\sync.exe 2005-09-20 20:45 . 2007-08-03 13:06 49664 ------w- c:\program files\WMDecode.exe 2005-07-14 04:06 . 2007-08-03 13:06 98361 ------w- c:\program files\pagedfrg.exe 2005-06-30 01:07 . 2007-08-03 13:06 181776 ------w- c:\program files\handle.exe 2005-05-25 16:10 . 2007-08-03 13:06 784896 ------w- c:\program files\DoubleKiller.exe 2005-04-20 11:07 . 2007-08-03 13:06 106496 ------w- c:\program files\Tcpview.exe 2005-04-13 13:32 . 2007-08-03 13:06 186368 ------w- c:\program files\LSPFix.exe 2005-04-09 20:12 . 2007-08-03 13:06 32768 ------w- c:\program files\PPSFix.exe 2005-04-04 11:15 . 2007-08-03 13:06 53248 ------w- c:\program files\whois.exe 2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\vnc-4_1_1_viewer.exe 2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\realvncviewer.exe 2005-03-21 14:03 . 2007-08-03 13:06 345600 ------w- c:\program files\SafeXP.exe 2005-02-20 09:34 . 2007-08-03 13:06 865792 ------w- c:\program files\ExplorerXP.exe 2005-02-16 09:06 . 2007-08-03 13:06 218112 ------w- c:\program files\HijackThis.exe 2005-02-16 07:57 . 2007-08-03 13:06 45056 ------w- c:\program files\streams.exe 2005-02-13 12:43 . 2007-08-03 13:06 1013211 ------w- c:\program files\tv.exe 2005-02-01 12:48 . 2007-08-03 13:06 94208 ------w- c:\program files\WINOBJ.EXE 2005-01-28 21:23 . 2007-08-03 13:06 1036800 ------w- c:\program files\filmerit_21en.exe 2004-12-21 07:23 . 2007-08-03 13:06 65536 ------w- c:\program files\LISTDLLS.exe 2004-12-08 13:26 . 2007-08-03 13:06 49152 ------w- c:\program files\junction.exe 2004-12-01 15:27 . 2007-08-03 13:06 86016 ------w- c:\program files\pslist.exe 2004-11-29 16:43 . 2007-08-03 13:06 81920 ------w- c:\program files\sherlock2.0.exe 2004-11-21 07:26 . 2007-08-03 13:06 331776 ------w- c:\program files\emailcatcher.exe 2004-11-05 11:05 . 2007-08-03 13:06 81920 ------w- c:\program files\logonsessions.exe 2004-10-03 07:15 . 2007-08-03 13:06 253952 ------w- c:\program files\LockedCopy.exe 2004-09-22 14:46 . 2007-08-03 13:06 741421 ------w- c:\program files\Bginfo.exe 2004-09-15 09:39 . 2007-08-03 13:06 585728 ------w- c:\program files\OEView.exe 2004-08-26 12:04 . 2007-08-03 13:06 159795 ------w- c:\program files\ShareEnum.exe 2004-08-19 17:18 . 2007-08-03 13:06 343040 ------w- c:\program files\OptimumJPEG.exe 2004-08-08 14:10 . 2007-08-03 13:06 94208 ------w- c:\program files\tcpvcon.exe 2004-07-16 08:39 . 2007-08-03 13:06 135168 ------w- c:\program files\tweakol2003.exe 2004-06-22 13:14 . 2007-08-03 13:06 118784 ------w- c:\program files\Diskmon.exe 2004-03-20 23:47 . 2007-08-03 13:06 94208 ------w- c:\program files\tweakol.exe 2004-03-19 23:20 . 2007-08-03 13:06 98304 ------w- c:\program files\DetachOL.exe 2004-02-27 11:58 . 2007-08-03 13:06 45056 ------w- c:\program files\DriveZ.exe 2004-01-29 23:10 . 2007-08-03 13:06 208896 ------w- c:\program files\ConfigInspector.exe 2003-12-30 12:33 . 2007-08-03 13:06 253952 ------w- c:\program files\md5.exe 2003-12-20 19:57 . 2007-08-03 13:06 224256 ------w- c:\program files\fentun.exe 2003-07-17 10:19 . 2007-08-03 13:06 5632 ------w- c:\program files\wol.exe 2003-06-18 10:49 . 2007-08-03 13:06 406528 ------w- c:\program files\UnknownDeviceIdentifier.exe 2003-04-01 16:08 . 2007-08-03 13:06 16384 ------w- c:\program files\IP_Agent.exe 2003-03-20 15:43 . 2007-08-03 13:06 73728 ------w- c:\program files\DiskCheckup.exe 2003-02-21 07:31 . 2007-08-03 13:06 659456 ------w- c:\program files\VCD_PLAY.EXE 2003-02-10 09:07 . 2007-08-03 13:06 53028 ------w- c:\program files\netio.exe 2002-03-25 08:52 . 2007-08-03 13:06 644976 ------w- c:\program files\BootVis.exe 2002-03-19 15:30 . 2007-08-03 13:06 216576 ------w- c:\program files\PowerCalc.exe 2002-01-02 13:12 . 2007-08-03 13:06 410624 ------w- c:\program files\DNSQuery.exe 2001-08-23 23:00 . 2007-08-03 13:06 90112 ------w- c:\program files\PlacesBar Editor.exe 2001-03-04 16:01 . 2007-08-03 13:06 13824 ------w- c:\program files\IP2.exe 2001-02-21 19:03 . 2007-08-03 13:06 35840 ------w- c:\program files\base64.exe 2000-11-16 01:01 . 2007-08-03 13:06 210944 ------w- c:\program files\putty.exe 2000-07-29 06:20 . 2007-08-03 13:06 188416 ------w- c:\program files\TDIMON.EXE 2000-06-14 09:30 . 2007-08-03 13:06 872448 ------w- c:\program files\EZSMART.exe 2000-03-24 11:16 . 2007-08-03 13:06 617984 ------w- c:\program files\Dup.exe 1999-04-12 11:15 . 2007-08-03 13:06 236032 ------w- c:\program files\BINCHUNK.EXE 1998-08-02 22:53 . 2007-08-03 13:06 287232 ------w- c:\program files\syslog_server.exe 1998-05-10 16:43 . 2007-08-03 13:06 483840 ------w- c:\program files\SFV32W.exe 1997-07-09 11:53 . 2007-08-03 13:06 40960 ------w- c:\program files\MAPIMAIL.EXE 1997-04-04 15:04 . 2007-08-03 13:06 513536 ------w- c:\program files\TFTPd.exe 1996-11-20 16:35 . 2007-08-03 13:06 340480 ------w- c:\program files\hexedit.exe 1996-10-07 07:16 . 2007-08-03 13:06 114176 ------w- c:\program files\wsttcp.exe 1996-07-28 18:58 . 2007-08-03 13:06 14305 ------w- c:\program files\rawrite.exe 2009-12-25 10:12 203776 --sh--w- c:\windows\system32\unrar.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-20 115560] "Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-02-11 70024] "Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-02-22 858672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\0\0] "Script"=EnvVar.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\1\0] "Script"=IAEMACT-Logon.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\0\0] "Script"=EnvVar.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\1\0] "Script"=IAEMACT-Logon.bat [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2007-01-05 16:36 872448 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\CBA\\pds.exe"= "c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"= "%windir%\\system32\\msgsys.exe"= "c:\\Program Files\\Foxit Software\\PDFEdit.exe"= "c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "445:TCP"= 445:TCP:@xpsp2res.dll,-22005 "137:UDP"= 137:UDP:@xpsp2res.dll,-22001 "138:UDP"= 138:UDP:@xpsp2res.dll,-22002 "67:TCP"= 67:TCP:LANDesk® PXE TCP Port "67:UDP"= 67:UDP:LANDesk® PXE UDP Port "9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port "9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [22/02/2010 13:32 224816] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608] S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/11/2009 12:32 155648] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384] S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [21/06/2009 07:59 3584] S2 glpntdrv;glpntdrv;\??\c:\windows\system32\drivers\glpntdrv.sys --> c:\windows\system32\drivers\glpntdrv.sys [?] S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [24/02/2010 15:11 139264] S2 MSSQL$SQL_CTSELECT;SQL Server (SQL_CTSELECT);c:\program files\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 02:27 29262680] S2 Peakcan;Peakcan;c:\windows\system32\drivers\Peakcan.sys [11/09/2008 15:15 87904] S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [22/02/2010 13:33 649776] S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [22/02/2010 13:33 231984] S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [24/02/2010 15:11 385024] S2 SsfdcPp;Parallel Port Ssfdc Programmer Driver;c:\windows\system32\drivers\SsfdcPp.sys [30/09/2008 09:12 14604] S2 TcCam;TwinCAT CAM Server;c:\twincat\Driver\TCCam.sys [17/04/2008 13:24 192563] S2 TcEventLogger;TcEventLogger;c:\twincat\EventLogger\TcEventLogger.exe [17/04/2008 13:24 249932] S2 TcIo;TwinCAT IO Server;c:\twincat\Driver\TcIo.sys [17/04/2008 13:24 1154048] S2 TcPlc;TwinCAT IEC1131 Server;c:\twincat\Driver\TcPlc.sys [17/04/2008 13:24 390709] S2 TcRouter;TwinCAT Router Server;c:\twincat\Driver\TCRouter.sys [17/04/2008 13:24 186880] S2 TcRTime;TwinCAT Realtime Server;c:\twincat\Driver\TCRtime.sys [17/04/2008 13:24 138752] S2 TwinCAT System Service;TwinCAT System Service;c:\twincat\TCATSysSrv.exe [17/04/2008 13:24 622652] S2 VERISMIC PowerManager Client;VERISMIC PowerManager Client;c:\program files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe [26/03/2010 08:29 424960] S2 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\ddcdrv.sys [13/08/2010 08:55 10240] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [16/03/2009 11:25 23888] S3 ctndrvd;CTNet NT Driver;c:\windows\system32\drivers\ctndrv2.sys [06/08/2007 08:01 6488] S3 CTNDRVWDM;CTNet Driver (WDM);c:\windows\system32\drivers\ctndrwdm.sys [03/10/2002 09:45 5145] S3 DrvSnSht;DrvSnSht;\??\c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\DrvSnSht.sys --> c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\DrvSnSht.sys [?] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 11:08 102448] S3 IPCTYPE;IPCTYPE;\??\c:\documents and settings\All Users\Documents\Pro-face\GP-Pro EX 2.2\Simulator\IPCType.sys --> c:\documents and settings\All Users\Documents\Pro-face\GP-Pro EX 2.2\Simulator\IPCType.sys [?] S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [08/01/2009 17:00 11904] S3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [08/01/2009 17:00 3328] S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [08/01/2009 17:00 3712] S3 pcan_usb;PCAN-USB Device Driver;c:\windows\system32\drivers\pcan_usb.sys [01/03/2003 01:42 201175] S3 PORTMON;PORTMON;\??\c:\program files\PORTMSYS.SYS --> c:\program files\PORTMSYS.SYS [?] S3 R-ImageDisk;R-ImageDisk;\??\c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys --> c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys [?] S3 SMA_USBBus;SMA USB Serial Converter;c:\windows\system32\drivers\FTD2XX.sys [17/01/2010 18:05 29292] S3 TrioUSB;TrioUSB;c:\windows\system32\drivers\TrioUSB.sys [25/10/2007 09:11 9984] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504] --- Other Services/Drivers In Memory --- *NewlyCreated* - SRTSPL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 20:23 452136 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.skynet.be uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ uInternet Settings,ProxyServer = europroxy.emrsn.co.uk:80 uInternet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: ia.priv\lx-gbnew-app.controltechniques Trusted Zone: ia.priv\lx-gbnew-tst.controltechniques Trusted Zone: ia.priv\lx-gbnew-app.controltechniques . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) SafeBoot-Symantec Antvirus ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-11-04 00:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1212) c:\windows\system32\pssogina.dll c:\windows\system32\LogonAgentAPI.dll c:\windows\system32\msi.dll - - - - - - - > 'explorer.exe'(268) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll . Completion time: 2010-11-04 00:20:31 ComboFix-quarantined-files.txt 2010-11-03 23:20 Pre-Run: 39,649,845,248 bytes free Post-Run: 39,592,603,648 bytes free - - End Of File - - 5323E1E7DFADFED0A5955B999F6A2DB2 mvg David

Helaas geen log te vinden Voor alle zekerheid had ik combofix nog eens uitgevoerd maar hetzelfde resultaat Ik vrees dat dieje rot Symantec Endpoint Protection hier de oorzaak van is en ik kan hem niet uitshakelen. Buiten dieje disable is er geen andere manier om dat uit te schakelen? mvg David

Heb ComboFix laten uitvoeren. Ik kan jammer genoeg Symantec Endpoint Protection niet uitschakelen De selectie Disable is niet toegankelijk. Heb toch ComboFix uitgevoerd ComboFix heeft alles uitgevoerd tot het punt van van de logfile toen is de computer gecrasht en heb ik hem zelf moeten herstarten Heeft dan de volgende fout gegeven Windows is hersteld van een ernstige fout (of zoiets) BCCode : 1000008e BCP1 : 80000004 BCP2 : 8054B97F BCP3 : 9EE16888 BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1 Blijft traag opstarten nog suggesties? mvg David

Sorry Tim Er was een foutje opgetreden tijdens de eerste post Nee de PC reageert normaal tijdens gewoon werken. Nu nog een opmerking: Soms als ik Ctrl + Alt + Del moet drukken om in te loggen als de pc net opgestart is dan duurt het zeer lang vooraleer het scherm met de Username en het Password te voorschijn komt. Hier is echter geen regelmaat op, soms gaat dit wel vrijwel onmiddelijk @Kape De twee URL's lijken mij bekend van mijn werk emrsn.org komt waarschijnlijk van Emerson Control Techniques is een dochterfirma van Emerson Ik heb gedaan wat je gevraagd hebt met HijackThis maar resultaat blijft hetzelfde mvg David

Beste mensen Mijn PC start zéér traag op. Opstarten duurt zelfs tot 20 à 25 minuten Afsluiten gaat redelijk. Vanaf de Log in begint het... Wat heb ik allemaal al uitgevoerd: Symantec virusscanner (niks gevonden) AVG virusscanner (niks gevonden) MalwareBytes (niks gevonden) CCleaner (+/-90 threads gevonden en gefixt) Tweaknow Regcleaner (nog eens 3 threads gevonden en gefixt) Windows Defragmentatie uitgevoerd (kan niet alles terug goed zetten) Heel veel rommelprogramma's, die niet relevant waren, uninstalled Dan heb ik een HijackThis Log genomen. Ik hoop dat er iemand van jullie mij kan helpen ... Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:33:14, on 02/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\Prot_srv.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LANDesk\Shared Files\residentagent.exe C:\Program Files\LANDesk\LDClient\LocalSch.EXE C:\WINDOWS\system32\CBA\pds.exe C:\Program Files\LANDesk\LDClient\tmcsvc.exe C:\PROGRA~1\LANDesk\LDClient\issuser.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe c:\Program Files\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\LANDesk\LDClient\collector.exe C:\WINDOWS\system32\pstartSr.exe C:\Program Files\LANDesk\LDClient\softmon.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\TwinCAT\EventLogger\TcEventLogger.exe C:\TwinCAT\TCATSysSrv.exe C:\PROGRA~1\LANDesk\LDClient\rcgui.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Skynet.be - LE portail belge – DE Belgische portaalsite! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP® - Laptops, Desktop, Printers, Servers, and more R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = europroxy.emrsn.co.uk:80 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local> R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv O15 - Trusted Zone: http://lx-gbnew-tst.controltechniques.ia.priv O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv (HKLM) O15 - ESC Trusted Zone: http://runonce.msn.com O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM) O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - Pagina niet gevonden | Facebook O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203422187479 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227783639184 O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - Pagina niet gevonden | Facebook O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org O17 - HKLM\System\CS2\Services\Tcpip\..\{0CE5E879-8E5F-4D40-A81C-2E9661431801}: NameServer = 129.111.0.5,129.111.1.14 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: Pointsec - Check Point Software Tech Ltd - C:\WINDOWS\system32\Prot_srv.exe O23 - Service: Pointsec Service Start (Pointsec_start) - Check Point Software Tech Ltd - C:\WINDOWS\system32\pstartSr.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: TcEventLogger - Unknown owner - C:\TwinCAT\EventLogger\TcEventLogger.exe O23 - Service: TwinCAT System Service - BECKHOFF Automation - C:\TwinCAT\TCATSysSrv.exe O23 - Service: VERISMIC PowerManager Client - VERISMIC Software - C:\Program Files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe -- End of file - 10960 bytes met vriendelijke groeten David

Sinds enige tijd start mijn PC zeer traag op. Zelfs 20 à 25 minuten vooraleer alle icoontjes op de XP werkbalk er staan. Alsfuiten gaat redelijk Wat heb ik gedaan. Viruscanner Symantec (niks gevonden) MalwareBytes (niks gevonden) CCcleaner laten uitvoeren (+/-90 thre TweakNow RegCleaner laten uitvoeren