David Dierickx

31 januari 2011

Checkdisk heeft het opgelost

Nu start hij op in zo een 2 à 3 minuten

20 november 2010

Vipre uitgevoerd

blijft hetzelfde qua opstarttijd. :-(

David

12 november 2010

Ik heb ook Spybot eens uitgevoerd

Deze heeft 2 entries gevonden

logSpybot.JPG gratis downloaden vanaf Uploading.com

Dr Web CureIt heb ik ook uitgevoerd daarna

emailcatcher.exe;C:\Program Files;Tool.MassMail.3;Verplaatst.;pslist.exe;C:\ProgramFiles;Program.PsList.126;;A0005334.exe;C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP4;Tool.MassMail.3;Verplaatst.;

mvg

David

logSpybot.bmp

11 november 2010

En voila scan voltooid

Heeft bijna 8 uur geduurd.

Log zoals gevraagd (Er zouden trojan horse opzitten)

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, November 11, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, November 10, 2010 12:49:57

Records in database: 4251104

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

G:\

Scan statistics:

Objects scanned: 146012

Threats found: 1

Infected objects found: 4

Suspicious objects found: 0

Scan duration: 07:43:23

File name / Threat / Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0000\4EDDD8EC.VBN Infected: Trojan.JS.Iframe.eu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0001\4EDDD8FE.VBN Infected: Trojan.JS.Iframe.eu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0002\4EDDD913.VBN Infected: Trojan.JS.Iframe.eu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0A8C0003\4EDDD924.VBN Infected: Trojan.JS.Iframe.eu 1

Selected area has been scanned.

mvg

David

8 november 2010

jammerlijk genoeg nog rond de 15 minuten

mvg

David

7 november 2010

Ok dat is gelukt

Hier is de log van ComboFix

ComboFix 10-11-07.07 - dierda01 07/11/2010 20:58:07.5.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.743 [GMT 1:00]

Running from: c:\documents and settings\dierda01\Desktop\ComboFix.exe

AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))

.

2010-11-04 19:16 . 2010-11-04 19:16 -------- d-----w- c:\program files\Rittal

2010-11-02 10:28 . 2010-11-02 10:28 388096 ----a-r- c:\documents and settings\dierda01\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-11-01 19:28 . 2010-11-01 19:28 -------- d-----w- c:\documents and settings\dierda01\Application Data\AVG10

2010-11-01 19:26 . 2010-11-01 19:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-01 19:24 . 2010-11-01 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-01 19:19 . 2010-11-01 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-01 19:01 . 2010-11-01 19:01 -------- d-----w- c:\program files\CCleaner

2010-11-01 18:00 . 2010-11-01 18:03 -------- d-----w- c:\program files\TweakNow RegCleaner

2010-11-01 18:00 . 2010-11-01 18:00 -------- d-----w- c:\documents and settings\dierda01\Application Data\TweakNow RegCleaner

2010-10-14 06:49 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 06:49 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2010-10-14 06:49 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 06:49 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-25 11:49 . 2010-03-19 13:43 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-10-25 11:49 . 2010-04-21 12:32 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-22 14:00 . 2009-07-24 08:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-09-22 14:00 . 2009-07-24 08:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-09-18 10:23 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 08:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-04 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-04 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 21:32 . 2010-09-22 14:04 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2010-09-10 05:58 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-04 08:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 08:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 08:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-04 08:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-17 07:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 08:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-04 08:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2007-03-30 11:34 . 2007-08-03 13:06 25263144 ------w- c:\program files\Skype.exe

2006-12-11 19:58 . 2007-08-03 13:06 826936 ------w- c:\program files\blacklightrootkit.exe

2006-11-12 12:23 . 2007-08-03 13:06 174163 ------w- c:\program files\utorrent.exe

2006-11-09 06:29 . 2007-08-03 13:06 2198320 ------w- c:\program files\Procmon.exe

2006-11-01 12:07 . 2007-08-03 13:06 3623736 ------w- c:\program files\procexp.exe

2006-11-01 12:07 . 2007-10-31 12:04 363320 ------w- c:\program files\portmon.exe

2006-09-23 20:05 . 2007-08-03 13:06 340992 ------w- c:\program files\FolderSize.exe

2006-08-09 10:56 . 2007-08-03 13:06 1413120 ------w- c:\program files\WinsockXPFix.exe

2006-07-10 12:22 . 2007-08-03 13:06 398912 ------w- c:\program files\autoruns.exe

2006-07-10 12:21 . 2007-08-03 13:06 294912 ------w- c:\program files\autorunsc.exe

2006-06-27 22:05 . 2007-08-03 13:06 262144 ------w- c:\program files\xp-AntiSpy.exe

2006-03-24 10:33 . 2007-08-03 13:06 69632 ------w- c:\program files\Contig.exe

2006-02-18 01:50 . 2007-08-03 13:06 1024000 ------w- c:\program files\vncviewer.exe

2006-02-17 20:06 . 2007-08-03 13:06 12411150 ------w- c:\program files\YamiPod.exe

2006-02-01 15:02 . 2007-08-03 13:06 237651 ------w- c:\program files\RootkitRevealer.exe

2006-01-11 20:31 . 2007-08-03 13:06 992399 ------w- c:\program files\JHymn.exe

2005-09-20 20:45 . 2007-08-03 13:06 49664 ------w- c:\program files\WMDecode.exe

2005-07-14 04:06 . 2007-08-03 13:06 98361 ------w- c:\program files\pagedfrg.exe

2005-06-30 01:07 . 2007-08-03 13:06 181776 ------w- c:\program files\handle.exe

2005-05-25 16:10 . 2007-08-03 13:06 784896 ------w- c:\program files\DoubleKiller.exe

2005-04-20 11:07 . 2007-08-03 13:06 106496 ------w- c:\program files\Tcpview.exe

2005-04-13 13:32 . 2007-08-03 13:06 186368 ------w- c:\program files\LSPFix.exe

2005-04-09 20:12 . 2007-08-03 13:06 32768 ------w- c:\program files\PPSFix.exe

2005-04-04 11:15 . 2007-08-03 13:06 53248 ------w- c:\program files\whois.exe

2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\vnc-4_1_1_viewer.exe

2005-03-24 11:56 . 2007-08-03 13:06 291792 ------w- c:\program files\realvncviewer.exe

2005-03-21 14:03 . 2007-08-03 13:06 345600 ------w- c:\program files\SafeXP.exe

2005-02-20 09:34 . 2007-08-03 13:06 865792 ------w- c:\program files\ExplorerXP.exe

2005-02-16 09:06 . 2007-08-03 13:06 218112 ------w- c:\program files\HijackThis.exe

2005-02-16 07:57 . 2007-08-03 13:06 45056 ------w- c:\program files\streams.exe

2005-02-13 12:43 . 2007-08-03 13:06 1013211 ------w- c:\program files\tv.exe

2005-02-01 12:48 . 2007-08-03 13:06 94208 ------w- c:\program files\WINOBJ.EXE

2005-01-28 21:23 . 2007-08-03 13:06 1036800 ------w- c:\program files\filmerit_21en.exe

2004-12-21 07:23 . 2007-08-03 13:06 65536 ------w- c:\program files\LISTDLLS.exe

2004-12-08 13:26 . 2007-08-03 13:06 49152 ------w- c:\program files\junction.exe

2004-12-01 15:27 . 2007-08-03 13:06 86016 ------w- c:\program files\pslist.exe

2004-11-29 16:43 . 2007-08-03 13:06 81920 ------w- c:\program files\sherlock2.0.exe

2004-11-21 07:26 . 2007-08-03 13:06 331776 ------w- c:\program files\emailcatcher.exe

2004-11-05 11:05 . 2007-08-03 13:06 81920 ------w- c:\program files\logonsessions.exe

2004-10-03 07:15 . 2007-08-03 13:06 253952 ------w- c:\program files\LockedCopy.exe

2004-09-22 14:46 . 2007-08-03 13:06 741421 ------w- c:\program files\Bginfo.exe

2004-09-15 09:39 . 2007-08-03 13:06 585728 ------w- c:\program files\OEView.exe

2004-08-26 12:04 . 2007-08-03 13:06 159795 ------w- c:\program files\ShareEnum.exe

2004-08-19 17:18 . 2007-08-03 13:06 343040 ------w- c:\program files\OptimumJPEG.exe

2004-08-08 14:10 . 2007-08-03 13:06 94208 ------w- c:\program files\tcpvcon.exe

2004-07-16 08:39 . 2007-08-03 13:06 135168 ------w- c:\program files\tweakol2003.exe

2004-06-22 13:14 . 2007-08-03 13:06 118784 ------w- c:\program files\Diskmon.exe

2004-03-20 23:47 . 2007-08-03 13:06 94208 ------w- c:\program files\tweakol.exe

2004-03-19 23:20 . 2007-08-03 13:06 98304 ------w- c:\program files\DetachOL.exe

2004-02-27 11:58 . 2007-08-03 13:06 45056 ------w- c:\program files\DriveZ.exe

2004-01-29 23:10 . 2007-08-03 13:06 208896 ------w- c:\program files\ConfigInspector.exe

2003-12-30 12:33 . 2007-08-03 13:06 253952 ------w- c:\program files\md5.exe

2003-12-20 19:57 . 2007-08-03 13:06 224256 ------w- c:\program files\fentun.exe

2003-07-17 10:19 . 2007-08-03 13:06 5632 ------w- c:\program files\wol.exe

2003-06-18 10:49 . 2007-08-03 13:06 406528 ------w- c:\program files\UnknownDeviceIdentifier.exe

2003-04-01 16:08 . 2007-08-03 13:06 16384 ------w- c:\program files\IP_Agent.exe

2003-03-20 15:43 . 2007-08-03 13:06 73728 ------w- c:\program files\DiskCheckup.exe

2003-02-21 07:31 . 2007-08-03 13:06 659456 ------w- c:\program files\VCD_PLAY.EXE

2003-02-10 09:07 . 2007-08-03 13:06 53028 ------w- c:\program files\netio.exe

2002-03-25 08:52 . 2007-08-03 13:06 644976 ------w- c:\program files\BootVis.exe

2002-03-19 15:30 . 2007-08-03 13:06 216576 ------w- c:\program files\PowerCalc.exe

2002-01-02 13:12 . 2007-08-03 13:06 410624 ------w- c:\program files\DNSQuery.exe

2001-08-23 23:00 . 2007-08-03 13:06 90112 ------w- c:\program files\PlacesBar Editor.exe

2001-03-04 16:01 . 2007-08-03 13:06 13824 ------w- c:\program files\IP2.exe

2001-02-21 19:03 . 2007-08-03 13:06 35840 ------w- c:\program files\base64.exe

2000-11-16 01:01 . 2007-08-03 13:06 210944 ------w- c:\program files\putty.exe

2000-07-29 06:20 . 2007-08-03 13:06 188416 ------w- c:\program files\TDIMON.EXE

2000-06-14 09:30 . 2007-08-03 13:06 872448 ------w- c:\program files\EZSMART.exe

1999-04-12 11:15 . 2007-08-03 13:06 236032 ------w- c:\program files\BINCHUNK.EXE

1998-08-02 22:53 . 2007-08-03 13:06 287232 ------w- c:\program files\syslog_server.exe

1998-05-10 16:43 . 2007-08-03 13:06 483840 ------w- c:\program files\SFV32W.exe

1997-07-09 11:53 . 2007-08-03 13:06 40960 ------w- c:\program files\MAPIMAIL.EXE

1997-04-04 15:04 . 2007-08-03 13:06 513536 ------w- c:\program files\TFTPd.exe

1996-11-20 16:35 . 2007-08-03 13:06 340480 ------w- c:\program files\hexedit.exe

1996-10-07 07:16 . 2007-08-03 13:06 114176 ------w- c:\program files\wsttcp.exe

1996-07-28 18:58 . 2007-08-03 13:06 14305 ------w- c:\program files\rawrite.exe

1996-07-24 18:30 . 2007-08-03 13:06 90144 ------w- c:\program files\WINGIF.EXE

2009-12-25 10:12 203776 --sh--w- c:\windows\system32\unrar.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-20 115560]

"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-02-11 70024]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-02-22 858672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\0\0]

"Script"=EnvVar.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-100122\Scripts\Logon\1\0]

"Script"=IAEMACT-Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\0\0]

"Script"=EnvVar.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-1682526488-839522115-441436\Scripts\Logon\1\0]

"Script"=IAEMACT-Logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2007-01-05 16:36 872448 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\CBA\\pds.exe"=

"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=

"%windir%\\system32\\msgsys.exe"=

"c:\\Program Files\\Foxit Software\\PDFEdit.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

"67:TCP"= 67:TCP:LANDesk® PXE TCP Port

"67:UDP"= 67:UDP:LANDesk® PXE UDP Port

"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port

"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [22/02/2010 13:32 224816]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608]

S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/11/2009 12:32 155648]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]

S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [21/06/2009 07:59 3584]

S2 glpntdrv;glpntdrv;\??\c:\windows\system32\drivers\glpntdrv.sys --> c:\windows\system32\drivers\glpntdrv.sys [?]

S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [24/02/2010 15:11 139264]

S2 MSSQL$SQL_CTSELECT;SQL Server (SQL_CTSELECT);c:\program files\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 02:27 29262680]

S2 Peakcan;Peakcan;c:\windows\system32\drivers\Peakcan.sys [11/09/2008 15:15 87904]

S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [22/02/2010 13:33 649776]

S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [22/02/2010 13:33 231984]

S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [24/02/2010 15:11 385024]

S2 SsfdcPp;Parallel Port Ssfdc Programmer Driver;c:\windows\system32\drivers\SsfdcPp.sys [30/09/2008 09:12 14604]

S2 TcCam;TwinCAT CAM Server;c:\twincat\Driver\TCCam.sys [17/04/2008 13:24 192563]

S2 TcEventLogger;TcEventLogger;c:\twincat\EventLogger\TcEventLogger.exe [17/04/2008 13:24 249932]

S2 TcIo;TwinCAT IO Server;c:\twincat\Driver\TcIo.sys [17/04/2008 13:24 1154048]

S2 TcPlc;TwinCAT IEC1131 Server;c:\twincat\Driver\TcPlc.sys [17/04/2008 13:24 390709]

S2 TcRouter;TwinCAT Router Server;c:\twincat\Driver\TCRouter.sys [17/04/2008 13:24 186880]

S2 TcRTime;TwinCAT Realtime Server;c:\twincat\Driver\TCRtime.sys [17/04/2008 13:24 138752]

S2 TwinCAT System Service;TwinCAT System Service;c:\twincat\TCATSysSrv.exe [17/04/2008 13:24 622652]

S2 VERISMIC PowerManager Client;VERISMIC PowerManager Client;c:\program files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe [26/03/2010 08:29 424960]

S2 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\ddcdrv.sys [13/08/2010 08:55 10240]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [16/03/2009 11:25 23888]

S3 ctndrvd;CTNet NT Driver;c:\windows\system32\drivers\ctndrv2.sys [06/08/2007 08:01 6488]

S3 CTNDRVWDM;CTNet Driver (WDM);c:\windows\system32\drivers\ctndrwdm.sys [03/10/2002 09:45 5145]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 11:08 102448]

S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [08/01/2009 17:00 11904]

S3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [08/01/2009 17:00 3328]

S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [08/01/2009 17:00 3712]

S3 pcan_usb;PCAN-USB Device Driver;c:\windows\system32\drivers\pcan_usb.sys [01/03/2003 01:42 201175]

S3 R-ImageDisk;R-ImageDisk;\??\c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys --> c:\docume~1\dierda01\LOCALS~1\Temp\RarSFX0\R-ImageDisk.sys [?]

S3 SMA_USBBus;SMA USB Serial Converter;c:\windows\system32\drivers\FTD2XX.sys [17/01/2010 18:05 29292]

S3 TrioUSB;TrioUSB;c:\windows\system32\drivers\TrioUSB.sys [25/10/2007 09:11 9984]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ------w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.skynet.be

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

uInternet Settings,ProxyServer = europroxy.emrsn.co.uk:80

uInternet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: ia.priv\lx-gbnew-app.controltechniques

Trusted Zone: ia.priv\lx-gbnew-tst.controltechniques

Trusted Zone: ia.priv\lx-gbnew-app.controltechniques

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)

c:\windows\system32\pssogina.dll

c:\windows\system32\LogonAgentAPI.dll

c:\windows\system32\msi.dll

- - - - - - - > 'explorer.exe'(1300)

c:\windows\system32\WININET.dll

.

Completion time: 2010-11-07 21:06:05

ComboFix-quarantined-files.txt 2010-11-07 20:06

Pre-Run: 43,820,736,512 bytes free

Post-Run: 43,820,982,272 bytes free

- - End Of File - - E6412A14EAEA5DAF8144CD7E6476D194

mvg

David

4 november 2010

Helaas geen log te vinden van ComboFix

Computer start nog steeds traag op.

Misschien wel iets sneller als vroeger.

Laat ons zeggen 15 minuten nu

mvg

David

4 november 2010

Ik heb de ComboFix uitgevoerd met het filetje CFScript.txt

Alles uitgevoerd maar de Log wordt niet meer gemaakt, zelfs niet in safe mode.

Heb daarna HijackThis uitgevoerd

log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:01:03, on 04/11/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\Prot_srv.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

c:\Program Files\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\LANDesk\LDClient\softmon.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\TwinCAT\EventLogger\TcEventLogger.exe

C:\TwinCAT\TCATSysSrv.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Skynet.be - LE portail belge – DE Belgische portaalsite!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP® - Laptops, Desktop, Printers, Servers, and more

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = europroxy.emrsn.co.uk:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.controltechniques.com;192.186.1.100;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe

O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv

O15 - Trusted Zone: http://lx-gbnew-tst.controltechniques.ia.priv

O15 - Trusted Zone: http://lx-gbnew-app.controltechniques.ia.priv (HKLM)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203422187479

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227783639184

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org

O17 - HKLM\Software\..\Telephony: DomainName = emrsn.org

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emrsn.org

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emrsn.org

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE

O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe

O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe

O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe

O23 - Service: Pointsec - Check Point Software Tech Ltd - C:\WINDOWS\system32\Prot_srv.exe

O23 - Service: Pointsec Service Start (Pointsec_start) - Check Point Software Tech Ltd - C:\WINDOWS\system32\pstartSr.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: TcEventLogger - Unknown owner - C:\TwinCAT\EventLogger\TcEventLogger.exe

O23 - Service: TwinCAT System Service - BECKHOFF Automation - C:\TwinCAT\TCATSysSrv.exe

O23 - Service: VERISMIC PowerManager Client - VERISMIC Software - C:\Program Files\VERISMIC\PowerManager\Client\VERISMIC.PowerManager.ClientService.exe

--

End of file - 10136 bytes

3 november 2010

In veilige modus is het gelukt

Hier is de log

ComboFix 10-11-02.06 - dierda01 04/11/2010 0:12.3.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.743 [GMT 1:00]

Running from: c:\documents and settings\dierda01\Desktop\ComboFix.exe

AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Security

((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))

.

2010-11-03 07:33 . 2010-11-03 07:33 114688 ----a-w- c:\windows\system32\chg.exe