trojan horse verwijderen

[kape]

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\system32\mmf(10)(3).sys

c:\windows\system32\mmf(2)(2).sys

c:\windows\system32\mmf(2).sys

c:\windows\system32\mmf(3).sys

c:\windows\system32\mmf(4)(3).sys

c:\windows\system32\mmf(4)(4).sys

c:\windows\system32\mmf(5)(3).sys

c:\windows\system32\mmf(6)(3).sys

c:\windows\system32\mmf(7)(3).sys

c:\windows\system32\mmf(8)(3).sys

c:\windows\system32\mmf(9)(3).sys

Folder::

c:\program files\Boonty

c:\program files\BoontyGames

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

[belom]

logje combofix

ComboFix 10-04-09.06 - XP 10/04/2010 19:34:41.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.512.208 [GMT 2:00]

Gestart vanuit: c:\documents and settings\XP\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\XP\Bureaublad\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\mmf(10)(3).sys"

"c:\windows\system32\mmf(2)(2).sys"

"c:\windows\system32\mmf(2).sys"

"c:\windows\system32\mmf(3).sys"

"c:\windows\system32\mmf(4)(3).sys"

"c:\windows\system32\mmf(4)(4).sys"

"c:\windows\system32\mmf(5)(3).sys"

"c:\windows\system32\mmf(6)(3).sys"

"c:\windows\system32\mmf(7)(3).sys"

"c:\windows\system32\mmf(8)(3).sys"

"c:\windows\system32\mmf(9)(3).sys"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Boonty

c:\program files\Boonty\Components\apiprotection_20090720.cab

c:\program files\Boonty\Components\gamepages_616525_20100311.cab

c:\program files\Boonty\Components\sitepages_559_20091216.cab

c:\program files\Boonty\Components\tools\extract.exe

c:\program files\BoontyGames

c:\program files\BoontyGames\616525.ini

c:\program files\BoontyGames\Components\bureau.url

c:\program files\BoontyGames\Components\Joystick.ico

c:\program files\BoontyGames\Components\start.url

c:\program files\BoontyGames\halcyonsun.exe

c:\program files\BoontyGames\moorhuhnkart2.exe

c:\program files\BoontyGames\strategiccommandet.exe

c:\program files\BoontyGames\wildwheels.exe

c:\program files\BoontyGames\youdalegendthegoldenbirdofparadise{616525}.exe.download

c:\windows\system32\mmf(10)(3).sys

c:\windows\system32\mmf(2)(2).sys

c:\windows\system32\mmf(2).sys

c:\windows\system32\mmf(3).sys

c:\windows\system32\mmf(4)(3).sys

c:\windows\system32\mmf(4)(4).sys

c:\windows\system32\mmf(5)(3).sys

c:\windows\system32\mmf(6)(3).sys

c:\windows\system32\mmf(7)(3).sys

c:\windows\system32\mmf(8)(3).sys

c:\windows\system32\mmf(9)(3).sys

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-03-10 to 2010-04-10 ))))))))))))))))))))))))))))))

.

2010-04-09 19:26 . 2010-04-09 19:26 -------- d-----w- C:\$AVG

2010-04-09 19:19 . 2010-04-09 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-08 08:18 . 2010-04-08 08:18 -------- d-----w- c:\documents and settings\XP\Application Data\Malwarebytes

2010-04-08 08:16 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-08 08:16 . 2010-04-08 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-08 08:16 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-08 08:16 . 2010-04-08 08:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-05 14:14 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-04-05 14:14 . 2010-04-05 14:14 -------- d-----w- c:\program files\Panda Security

2010-04-05 12:07 . 2010-04-09 19:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-28 10:43 . 2010-04-10 17:23 -------- d--h--r- c:\documents and settings\XP\Onlangs geopend

2010-03-28 09:13 . 2010-03-28 09:13 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-28 09:07 . 2010-03-28 09:09 -------- d-----w- c:\program files\Lavasoft

2010-03-28 08:33 . 2010-04-05 12:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-23 13:34 . 2010-03-23 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Nevosoft

2010-03-22 14:06 . 2010-03-22 14:06 -------- d-----w- c:\documents and settings\XP\Application Data\Friday's games

2010-03-21 21:52 . 2010-03-21 21:52 -------- d-----w- c:\documents and settings\XP\Application Data\SerpentOfIsis

2010-03-17 18:57 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-03-17 07:59 . 2010-03-17 07:59 -------- d-----w- c:\program files\Giggles Computerpret voor Baby

2010-03-13 12:18 . 2010-03-13 18:18 -------- d-----w- c:\documents and settings\XP\Application Data\SprillRichiEng

2010-03-11 19:14 . 2010-03-11 19:14 -------- d-----w- c:\program files\TrendMicro

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-10 17:31 . 2005-02-10 00:31 841 --sha-w- c:\windows\system32\mmf.sys

2010-04-09 19:25 . 2008-06-06 10:42 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-09 19:25 . 2008-06-06 10:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-09 19:25 . 2007-11-12 14:40 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-09 19:25 . 2008-06-06 10:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-09 19:20 . 2008-06-06 10:42 -------- d-----w- c:\program files\AVG

2010-04-09 19:03 . 2006-01-08 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-09 19:01 . 2006-09-09 13:20 -------- d-----w- c:\program files\AIM Productions

2010-04-09 10:00 . 2007-05-16 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-03-28 07:14 . 2010-03-28 07:14 4904 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2010-03-28 07:14 . 2003-04-08 12:00 93292 ----a-w- c:\windows\system32\perfc013.dat

2010-03-28 07:14 . 2003-04-08 12:00 515228 ----a-w- c:\windows\system32\perfh013.dat

2010-03-22 11:08 . 2006-01-08 08:33 -------- d-----w- c:\program files\Hitman Pro

2010-03-22 11:07 . 2004-11-12 20:02 -------- d-----w- c:\documents and settings\XP\Application Data\Lavasoft

2010-03-22 10:32 . 2009-10-21 12:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-03-14 12:58 . 2005-12-19 10:11 -------- d-----w- c:\program files\Google

2010-03-11 19:14 . 2010-03-11 19:14 388096 ----a-r- c:\documents and settings\XP\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-03-11 17:44 . 2010-03-11 17:44 -------- d-----w- c:\documents and settings\XP\Application Data\YoudaGames

2010-03-11 12:38 . 2004-02-06 16:09 832512 ------w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2009-07-26 09:58 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2003-04-08 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-05 18:07 . 2003-12-18 12:19 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-01 19:34 . 2010-03-01 19:34 -------- d-----w- c:\program files\Common Files\SWF Studio

2010-02-28 11:56 . 2007-07-29 05:53 -------- d-----w- c:\documents and settings\XP\Application Data\Big Fish Games

2010-02-28 08:24 . 2010-02-23 17:51 -------- d-----w- c:\documents and settings\XP\Application Data\ElementalsTheMagicKey

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-01-17 15:00 . 2003-12-21 18:53 53376 -c--a-w- c:\documents and settings\XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-04-06 07:04 . 2008-04-06 07:04 0 -c--a-w- c:\program files\temp01

2006-08-11 13:21 . 2006-08-11 13:21 774144 -c--a-w- c:\program files\RngInterstitial.dll

2006-03-05 14:37 . 2006-03-05 14:37 4269636 -c--a-w- c:\program files\freaksroomescape.rar

2005-12-19 13:43 . 2005-12-19 13:43 560 -c--a-w- c:\program files\Global.sw

2004-09-20 16:44 . 2004-09-20 16:44 8044544 -c--a-w- c:\program files\virusscan7.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-09-24 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-16 68856]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-25 95632]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CloseDNF"="c:\windows\System32\Utility.exe \1008" [X]

"AME_CSA"="amecsa.cpl" [2002-10-03 782336]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-09-24 5033984]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-04-09 19:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2007-04-03 22:29 165784 -c--a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 13:50 54576 -c--a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

2007-08-22 15:31 80896 -c--a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-11-15 12:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2003-09-24 11:32 5033984 ----a-r- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2003-09-24 11:32 741376 ----a-r- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-11-14 22:43 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]

2002-10-11 17:26 98304 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-09-06 07:34 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dxdiag.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:RSP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/04/2010 16:14 28552]

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [6/12/2005 17:11 35328]

R1 as6eio;as6eio;c:\windows\system32\drivers\AS6EIO.SYS [14/01/2004 14:32 3616]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/06/2008 12:42 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/06/2008 12:42 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/04/2010 21:22 308064]

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/04/2007 19:07 682232]

S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [10/02/2005 2:31 2560]

S3 AmeAtmPc;AmeAtmPc;c:\windows\system32\drivers\ameatmpc.sys [18/12/2003 21:27 110179]

S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]

S3 AtmElan;ATM geëmuleerde LAN;c:\windows\system32\drivers\atmlane.sys [8/04/2003 14:00 55808]

S3 AtmLane;ATM LAN-emulatie;c:\windows\system32\drivers\atmlane.sys [8/04/2003 14:00 55808]

S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Inhoud van de 'Gedeelde Taken' map

2010-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2010-04-10 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-16 18:42]

2010-04-07 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-04-10 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-04-10 c:\windows\Tasks\User_Feed_Synchronization-{111BC756-D160-42A8-A6EA-C96F9481B73C}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.skynet.be/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: dexia.be\directnet

Trusted Zone: vlimmerensport.be\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game16.zylomgames.com/activex/zylomgamesplayer.cab

DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} - hxxp://game12.zylomgames.com/activex/zylomloader.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-04-10 19:50

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:ea,1b,a7,57,2b,04,6f,50,0d,93,9a,4b,8a,15,2c,50,82,ea,00,e7,9a,66,33,

64,67,78,b9,07,28,ce,86,3f,dc,db,31,c7,ce,b8,0c,69,f4,5c,a9,f9,df,b5,8a,34,\

"??"=hex:8b,7d,b4,15,54,24,fb,d3,a1,e6,00,24,d0,34,c0,21

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:b6,d8,e2,e6,96,c8,b0,24,d2,67,5c,f5,cc,7d,f4,fe,ba,c8,7f,de,32,

84,7b,ec,39,8e,fb,e6,55,4f,c3,6f,f3,23,11,76,64,30,68,6f,db,17,cf,7f,88,a7,\

"rkeysecu"=hex:b3,a6,db,3c,87,0c,3e,99,24,5e,0d,1c,06,b7,47,de

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004_Classes\Software\CLASSES\CLSID\{308C9F45-2012-8D0B-DE68-966EB937DACD}*\InprocServer32]

"{308C9F45-2012-8D0B-DE68-966EB937DACD}"=hex:cc,84,9f,40,53,55,2e,2f,25,23,bc,

8f,22,53,1e,1e,b9,0b,e2,ae,89,89,be,eb,cc,84,9f,40,53,55,2e,2f,cc,84,9f,40,\

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004_Classes\Software\CLASSES\CLSID\{51604D3C-DD1A-E3C6-2D49-6AB6591D4A83}*\InprocServer32]

"{51604D3C-DD1A-E3C6-2D49-6AB6591D4A83}"=hex:5f,4b,58,2d,98,ad,2f,88,6b,d5,04,

68,69,6a,fd,30,44,d6,f5,e6,cd,7b,13,46,5f,4b,58,2d,98,ad,2f,88,5f,4b,58,2d,\

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004_Classes\Software\CLASSES\CLSID\{61CBBFD6-B177-3731-1119-E841875EA065}*\InprocServer32]

"{61CBBFD6-B177-3731-1119-E841875EA065}"=hex:05,f5,15,57,ec,e6,c9,b7,2f,eb,40,

60,5b,85,be,e5,43,a8,60,77,e2,48,c8,00,05,f5,15,57,ec,e6,c9,b7,05,f5,15,57,\

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004_Classes\Software\CLASSES\CLSID\{69D5F6E9-AB5E-B704-0A91-0BA78CDAAC8F}*\InprocServer32]

"{69D5F6E9-AB5E-B704-0A91-0BA78CDAAC8F}"=hex:de,b7,77,b3,43,61,c0,5c,33,eb,e9,

f3,61,4a,ad,20,53,da,34,a2,1e,e3,e6,4b,de,b7,77,b3,43,61,c0,5c,de,b7,77,b3,\

[HKEY_USERS\S-1-5-21-343818398-884357618-839522115-1004_Classes\Software\CLASSES\CLSID\{72D1E981-816B-B173-3CF1-2730930EC7EB}*\InprocServer32]

"{72D1E981-816B-B173-3CF1-2730930EC7EB}"=hex:18,63,a9,c1,bd,09,e9,dc,f1,c3,35,

36,44,05,f8,42,1b,af,f3,55,44,52,22,5b,18,63,a9,c1,bd,09,e9,dc,18,63,a9,c1,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,42,54,3b,7e,24,3e,19,f8

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\BB6E5071F4E6B2769BD4E4FACC553A99]

"1"=hex:09,d8,ec,22,15,54,e7,37,3d,5b,59,2d,b7,79,05,2e,dc,0a,71,44,dc,37,80,

ce,24,ad,19,19,d6,bf,9e,2f

"2"=hex:69,46,da,08,bb,5c,f4,0f

"3"=hex:13,3f,04,2c,e8,c9,59,40,25,84,18,cb,a3,2c,48,87,59,7e,10,5d,79,73,18,

75,65,c3,f9,a4,2d,b9,b1,31,a6,9b,78,eb,ab,12,98,21,99,3c,ec,97,2a,00,fd,0c,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:85,bb,69,ad,52,49,47,61,50,80,55,ef,fa,b4,14,9a,04,b7,d6,59,f0,23,46,

cc,d3,ec,dd,49,40,98,41,b7,16,93,15,99,41,9a,8d,78,4a,2e,fb,89,b2,3d,70,79,\

"8"=hex:08,da,72,0b,e8,9d,c2,95,b1,24,36,1f,c1,de,94,84,9f,45,57,c4,c7,bc,83,

c4

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:ef,01,3f,48,b8,d3,ab,86

"11"=hex:81,20,8f,ab,28,6a,52,9c

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

Voltooingstijd: 2010-04-10 20:00:54

ComboFix-quarantined-files.txt 2010-04-10 18:00

ComboFix2.txt 2010-04-10 11:49

Pre-Run: 25.107.660.800 bytes beschikbaar

Post-Run: 24.775.417.856 bytes beschikbaar

- - End Of File - - 5C686610F074469E99197101E975D0A2

logje HJT

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 20:04:49, on 10/04/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Skynet.be - LE portail belge – DE Belgische portaalsite!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx

O4 - HKLM\..\Run: [CloseDNF] C:\WINDOWS\System32\Utility.exe \1008

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: HP Slim selecteren - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: Kon. Vlimmeren Sport | www.vlimmerensport.be | Welkom

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://belgacom.extrafilm.be/ImageUploader5.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161467017953

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://belgacom.extrafilm.be/ImageUploader4.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game16.zylomgames.com/activex/zylomgamesplayer.cab

O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game12.zylomgames.com/activex/zylomloader.cab

O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - The New InstantAction - Real PC Gaming in Your Browser

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5087/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 8857 bytes

[kape]

Hoe staan de zaken nu ? Nog merkbare problemen ?

[belom]

Hij start al sneller op. Alleen de startpagina openen van internet duurt nog een eeuwigheid. Maar eens die geopend is gaat het redelijk vlot. En als ik de pagina minimaliseer en terug maximaliseer komt de pagina in brokken terug te voorschijn. Je hoort de computer het eerste half uur ook constant draaien, daarom dat ik dacht dat de harde schijf mss wel versleten is, het is dan ook al een oud beestje.

Maar de opstartsnelheid van de pc is zeker verbeterd.

Ik veronderstel dat ik nu combofix moet verwijderen en ccleaner moet laten draaien? Maar zal nog wachten op verder instructies.

Ik wil je alvast bedanken voor de moeite en de tijd die je er hebt ingestoken.

11 april 2010 aangepast door belom

[crashman]

je kunt natuurlijk ook een snellere webbrouwser proberen

in jouw geval is opera het beste denk ik

11 april 2010 aangepast door crashman
had spellingsfout gemaakt en gaaf aan als scheldwoord

[kape]

Er zitten nog wat overbodige opstarters op je PC. Die kan je nog even aanpakken.

Download Codestuff Starter

Start Codestuff Starter op

Selecteer het tabblad Automatisch Opstarten en vink volgende items uit. Deze programma’s worden onnodig mee opgestart.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

Dan mag je inderdaad Combofix verwijderen en cleanen met CCleaner :

Verwijder Combofix: Start -> Uitvoeren en typ: ComboFix /Uninstall

Dit zal Combofix verwijderen + gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en maakt een nieuw herstelpunt.

Download CCleaner. Klik op deze pagina op één van de mirrorsites van MajorGeeks en dan start de download van CCleaner automatisch en gratis op.

Installeer het en start CCleaner op. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Schoonmaken'. Soms is 1 analyse niet voldoende. Deze procedure mag je herhalen tot de analyse geen fouten meer aangeeft. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

En tot slot : de suggestie van Crashman is de moeite waard om te proberen. Installeer - bij wijze van proef - een andere browser (Firefox, Opera, Chrome, o.i.d.) ... en bekijk dan eens of het openen van de browser dezelfde problemen veroorzaakt.

[belom]

Sorry, maar ik blijf je lastig vallen hé

Ik heb ComboFix verwijderd zoals je hebt aangegeven. Maar ik kreeg nog deze melding:

OPGELET! Het is niet veilig om verder te gaan. De inhoud van ComboFix pakket werd gewijzigd.

Nota:Jouw systeem is mogelijk besmet met het polymorfisch "Virut" virus.

[crashman]

dit kan 2dingen betekenen

1.het is een false alarm van je virusscanner(als die het was)

2.een virus/worm valt je weldegelijk lastig door het programma te veranderen zodanig dat hij zijn toekomstige scans niet kan voltooien

[belom]

Het was volgens mij een alarm van combofix zelf. Ik zal combofix eens terug installeren en een logje laten maken.

[kape]

dit kan 2dingen betekenen

1.het is een false alarm van je virusscanner(als die het was)

2.een virus/worm valt je weldegelijk lastig door het programma te veranderen zodanig dat hij zijn toekomstige scans niet kan voltooien

Deze onzin kan je beter voor jezelf houden. Het is duidelijk dat het hier om een pop-up van Combofix gaat en niets met één of andere virusscanner te maken heeft. Hard roepen kan iedereen ... juist roepen is hier wel aangewezen

---------- Post toegevoegd om 21:03 ---------- Vorige post was om 21:02 ----------

Het was volgens mij een alarm van combofix zelf. Ik zal combofix eens terug installeren en een logje laten maken.

Dit is inderdaad een pop-up van Combofix, maar wel vreemd dat je die kreeg bij het verwijderen ervan. Doe even wat je zelf vermeldt ... opnieuw downloaden en scannen. En dan bekijken we het logje terug.