Ga naar inhoud

Aanbevolen berichten

Geplaatst: (aangepast)

mijn pc is geïnfecteerd met een trojaans paard in de Windows file Isass.exe.DLL. Ik heb verschillende scans gelopen (AVG, Avast) maar krijg deze infectie niet verwijderd..

Kan iemand mij helpen?

Dank u wel.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:53:34, on 26/04/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21183)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\regsvr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecosia.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {0D3FBB5D-AF15-4912-A132-364BB9BB73A3} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: hotrevenue browser enhancer - {3EE55854-09DF-9E72-31A9-74ECB0C23212} - C:\WINDOWS\system32\xeoqmnsfakr.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Ecosia Plugin - {7E783154-F54B-4af6-8C01-0A3E744B5DC8} - C:\Program Files\Ecosia\ecosia.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EA38C044-22C9-4BF0-AC29-C8473353BB22} - c:\windows\system32\lofnryb.dll

O2 - BHO: SmartAds browser enhancer ltquokfy - {F1F0EA1B-F9BB-4EEB-9939-99F1E32366CD} - C:\WINDOWS\system32\ltquokfy.dll

O3 - Toolbar: Ecosia Search - {C8F48FC8-3CA1-42B9-8609-F75D7C8B4493} - C:\Program Files\Ecosia\ecosia.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [himlciillvic] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xeoqmnsfakr.dll"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263370399906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263370354468

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5962/mcfscan.cab

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BAB888F-205D-4DD8-84BB-D3A07FDD4E94}: NameServer = 193.74.208.65 194.119.228.67

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: IpSect service (darkness) - Unknown owner - C:\WINDOWS\system\lsm.exe (file missing)

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

--

End of file - 7538 bytes

aangepast door micheldesmedt
Geplaatst:

Ik heb uw bericht verplaatst naar de juiste rubriek.

Download HiJackThis

Dubbelklik op HJTInstall.exe

Hijackthis wordt nu op je PC geïnstalleerd, een snelkoppeling wordt op je bureaublad geplaatst.

HijackThis zal openen na het installeren.

Klik op "Do a systemscan and save a logfile".

Er opent een kladblokvenster, hou gelijktijdig de CTRL en A-toets ingedrukt, nu is alles geselecteerd. Hou gelijktijdig de CTRL en C-toets ingedrukt, nu is alles gekopieerd. Plak nu het HJT logje in je bericht door CTRL en V-toets.

N.B. : gebruikers van Windows Vista en Windows 7 zullen eerst moeten rechtsklikken op HijackThis.exe en dan kiezen voor "Run as Administrator".

Geplaatst:

Na het doorlopen van de procedure was dit het resultaat:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:53:34, on 26/04/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21183)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\regsvr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Ecosia

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

O2 - BHO: (no name) - {0D3FBB5D-AF15-4912-A132-364BB9BB73A3} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: hotrevenue browser enhancer - {3EE55854-09DF-9E72-31A9-74ECB0C23212} - C:\WINDOWS\system32\xeoqmnsfakr.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Ecosia Plugin - {7E783154-F54B-4af6-8C01-0A3E744B5DC8} - C:\Program Files\Ecosia\ecosia.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EA38C044-22C9-4BF0-AC29-C8473353BB22} - c:\windows\system32\lofnryb.dll

O2 - BHO: SmartAds browser enhancer ltquokfy - {F1F0EA1B-F9BB-4EEB-9939-99F1E32366CD} - C:\WINDOWS\system32\ltquokfy.dll

O3 - Toolbar: Ecosia Search - {C8F48FC8-3CA1-42B9-8609-F75D7C8B4493} - C:\Program Files\Ecosia\ecosia.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [himlciillvic] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xeoqmnsfakr.dll"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263370399906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263370354468

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5962/mcfscan.cab

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BAB888F-205D-4DD8-84BB-D3A07FDD4E94}: NameServer = 193.74.208.65 194.119.228.67

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: IpSect service (darkness) - Unknown owner - C:\WINDOWS\system\lsm.exe (file missing)

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

--

End of file - 7538 bytes

Geplaatst:

Ga naar Start – Uitvoeren/Zoekopdracht en tik in: sc stop darkness

Druk op Enter.

Ga naar Start – Uitvoeren/Zoekopdracht en tik in: sc delete darkness

Druk op Enter.

Start Hijackthis op. Ben je gebruiker van Vista kies dan voor “Run as administrator" of "Uitvoeren als administrator". Selecteer “Do a system scan only”. Selecteer alleen de items die hieronder zijn genoemd:

O2 - BHO: (no name) - {0D3FBB5D-AF15-4912-A132-364BB9BB73A3} - (no file)

O2 - BHO: hotrevenue browser enhancer - {3EE55854-09DF-9E72-31A9-74ECB0C23212} - C:\WINDOWS\system32\xeoqmnsfakr.dll

O2 - BHO: Ecosia Plugin - {7E783154-F54B-4af6-8C01-0A3E744B5DC8} - C:\Program Files\Ecosia\ecosia.dll

O2 - BHO: (no name) - {EA38C044-22C9-4BF0-AC29-C8473353BB22} - c:\windows\system32\lofnryb.dll

O2 - BHO: SmartAds browser enhancer ltquokfy - {F1F0EA1B-F9BB-4EEB-9939-99F1E32366CD} - C:\WINDOWS\system32\ltquokfy.dll

O3 - Toolbar: Ecosia Search - {C8F48FC8-3CA1-42B9-8609-F75D7C8B4493} - C:\Program Files\Ecosia\ecosia.dll

O4 - HKLM\..\Run: [himlciillvic] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xeoqmnsfakr.dll"

O4 - HKUS\S-1-5-19\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

Klik op 'Fix checked' om de items te verwijderen.

Download MBAM (Malwarebytes Anti-Malware)

Dubbelklik op mbam-setup.exe om het programma te installeren.

Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".

Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.

Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.

Het scannen kan een tijdje duren, dus wees geduldig.

Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.

Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.

Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder).

Indien er de rootkit (TDSS) aanwezig is, zal MBAM vragen te herstarten. Doe dit dan ook.

MBAM zal na de herstart opnieuw scannen en de rootkit verwijderen.

Het log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in het programma.

Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.

Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.

Geplaatst: (aangepast)

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4043

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

27/04/2010 22:23:24

mbam-log-2010-04-27 (22-23-24).txt

Scan type: Quick scan

Objects scanned: 141857

Time elapsed: 9 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 14

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\epxyalfhjritjvoen (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.Tracur) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Michel\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Michel\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Johan\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Johan\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Judith\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Judith\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lieve\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Lieve\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.

C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.

C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\epxyalfhjritjvoen.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Simon\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:33:04, on 27/04/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21228)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecosia.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {EA38C044-22C9-4BF0-AC29-C8473353BB22} - c:\windows\system32\lofnryb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263370399906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263370354468

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5962/mcfscan.cab

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BAB888F-205D-4DD8-84BB-D3A07FDD4E94}: NameServer = 193.74.208.65 194.119.228.67

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

--

End of file - 6417 bytes

Ziehier het resultaat van beide scans: MBAM eerst en High Jack This als 2de.

Beste Kape: dit vind ik als PC-leek straffen toebak... RESPECT!

Wat doen deze twee programma's? Kan ik hiervan leren? Hoe, wie, wat...

aangepast door micheldesmedt
Geplaatst:

We zijn er nog niet helemaal.

Start Hijackthis op. Ben je gebruiker van Vista kies dan voor “Run as administrator" of "Uitvoeren als administrator". Selecteer “Do a system scan only”. Selecteer alleen de items die hieronder zijn genoemd:

O2 - BHO: (no name) - {EA38C044-22C9-4BF0-AC29-C8473353BB22} - c:\windows\system32\lofnryb.dll

Klik op 'Fix checked' om de items te verwijderen.

Download Combofix naar je Bureaublad.

Lees hier meer over correct gebruik van Combofix.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.

Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

  • Dubbelklik op Combofix.exe om het te starten.
    Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
    Volg de instructies, aanvaard de disclaimer door op Ja te klikken.
    Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het "Query - Recovery Console" venster (enkel voor XP, niet voor VISTA).
    Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
    Klik na afloop terug op Ja om het scannen op malware te starten.
    Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.

Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.

Geplaatst:

Eerst heb ik Hijackthis uitgevoerd en de items verwijderd zoals beschreven. Dit ging prima.

Dan heb ik Combo.fix gedownload. Maar ik kreeg geen meldingen dat ik mijn antivirus moest afzetten. Ik starte Combofix.exe door op run te klikken op de Run of Save vraag. ik kreeg een kleine grijze balk centraal op mijn scherm met een blauw voortgangsbalkje. Toen deze ten einde liep, kreeg ik geen txt van Combofix... dus heb ik ook geen Log.

Wel kreeg ik een Error-melding: You cannot rename comboFix as ComboFix[1]. Please use another name, preferbaly made of alphanumeric characters. OK.

Als ik de PC heropstart krijg ik van AVG melding dat het trojaanse paard PSW.Agent.AFFO nog steeds Windows\system32\lofnryb.dll infecteert.

Heb ik een fout gemaakt bij het downloaden van ComboFix?

Geplaatst:
Heb ik een fout gemaakt bij het downloaden van ComboFix?
Bij het downloaden niet echt, maar op basis van de foutmelding zou ik kunnen vaststellen dat je onmiddellijk Combofix hebt laten "uitvoeren". Bedoeling is echter dat je Combofix download naar je bureaublad en daar pas opstart met de rode snelkoppeling. En dan zou het moeten lukken ...
Geplaatst:

GELUKT!

Combofix log:

ComboFix 10-04-26.05 - Michel 28/04/2010 10:17:12.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.454 [GMT 2:00]

Running from: c:\program files\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Johan\Application Data\Mozilla\Firefox\Profiles\xpaffi18.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}

c:\documents and settings\Johan\Application Data\Mozilla\Firefox\Profiles\xpaffi18.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome.manifest

c:\documents and settings\Johan\Application Data\Mozilla\Firefox\Profiles\xpaffi18.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome\xulcache.jar

c:\documents and settings\Johan\Application Data\Mozilla\Firefox\Profiles\xpaffi18.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\defaults\preferences\xulcache.js

c:\documents and settings\Johan\Application Data\Mozilla\Firefox\Profiles\xpaffi18.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\install.rdf

c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}

c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome.manifest

c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome\xulcache.jar

c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\defaults\preferences\xulcache.js

c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\install.rdf

c:\documents and settings\Michel\System

c:\documents and settings\Michel\System\win_qs8.jqx

c:\documents and settings\Simon\Application Data\2D15C61EEE71B2CF45FD5F291B92BDF1

c:\documents and settings\Simon\Application Data\2D15C61EEE71B2CF45FD5F291B92BDF1\enemies-names.txt

c:\documents and settings\Simon\Application Data\2D15C61EEE71B2CF45FD5F291B92BDF1\lsrslt.ini

c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\uxj8wz87.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}

c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\uxj8wz87.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome.manifest

c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\uxj8wz87.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\chrome\xulcache.jar

c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\uxj8wz87.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\defaults\preferences\xulcache.js

c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\uxj8wz87.default\extensions\{b1ccdae1-3506-4f05-91c5-8f7d0fc459ed}\install.rdf

c:\program files\Trend Micro\HiJackThis\backups\backup-20100427-220650-258.dll

c:\program files\Trend Micro\HiJackThis\backups\backup-20100427-220650-880.dll

c:\windows\system32\chvgacgg.dll

c:\windows\system32\drivers\mwgnrkio.sys

c:\windows\system32\drivers\woihloll.sys

c:\windows\system32\lofnryb.dll

c:\windows\system32\ltquokfy.dll

c:\windows\system32\xeoqmnsfakr.dll

c:\windows\system32\zcieuia.dll

c:\windows\Tasks\At1.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MWGNRKIO

-------\Legacy_SSHNAS

-------\Legacy_YAHQMCCB

-------\Service_mwgnrkio

-------\Service_yahqmccb

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))

.

2010-04-27 20:10 . 2010-04-27 20:10 -------- d-----w- c:\documents and settings\Michel\Application Data\Malwarebytes

2010-04-27 20:10 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-27 20:10 . 2010-04-27 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-27 20:10 . 2010-04-27 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-27 20:10 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 19:06 . 2010-04-26 19:06 -------- d-----w- c:\documents and settings\Michel\Application Data\Office Genuine Advantage

2010-04-26 19:04 . 2010-04-26 19:04 -------- d-----w- c:\windows\system32\KB905474

2010-04-26 19:04 . 2009-03-10 20:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe

2010-04-26 19:04 . 2009-03-10 20:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe

2010-04-26 15:07 . 2010-04-26 15:07 -------- d-----w- c:\documents and settings\Simon\Application Data\Office Genuine Advantage

2010-04-26 14:30 . 2009-10-20 14:41 265728 -c----w- c:\windows\system32\dllcache\http.sys

2010-04-26 14:30 . 2009-11-27 17:04 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-04-26 14:30 . 2009-11-27 16:37 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll

2010-04-26 14:30 . 2009-11-27 16:37 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll

2010-04-26 14:27 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-04-26 14:23 . 2010-04-26 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-04-26 09:52 . 2010-04-26 09:52 388096 ----a-r- c:\documents and settings\Michel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-04-26 09:52 . 2010-04-26 09:52 -------- d-----w- c:\program files\Trend Micro

2010-04-26 09:09 . 2010-04-26 09:09 -------- d-----w- c:\windows\ServicePackFiles

2010-04-26 09:09 . 2010-04-26 09:09 -------- d-----w- c:\program files\MSXML 6.0

2010-04-26 09:08 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-04-26 09:02 . 2010-04-26 09:02 -------- d-----w- c:\program files\MSXML 4.0

2010-04-26 08:59 . 2010-04-26 08:59 -------- d-----w- c:\windows\system32\LogFiles

2010-04-25 10:40 . 2010-04-26 09:35 -------- d-----w- c:\windows\system32\CatRoot_bak

2010-04-25 10:34 . 2010-04-25 10:34 10752 ----a-w- c:\windows\DCEBoot.exe

2010-04-25 10:28 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-25 09:40 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-04-25 09:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-04-25 09:39 . 2009-06-09 14:53 53248 -c----w- c:\windows\system32\dllcache\tsgqec.dll

2010-04-25 09:39 . 2009-06-09 14:53 290816 -c----w- c:\windows\system32\dllcache\rhttpaa.dll

2010-04-25 09:39 . 2009-06-09 14:53 136192 -c----w- c:\windows\system32\dllcache\aaclient.dll

2010-04-25 09:38 . 2010-02-24 12:48 457216 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-04-25 09:34 . 2010-02-16 17:37 2186880 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-04-25 09:34 . 2010-02-16 17:35 2143744 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-04-25 09:34 . 2010-02-17 09:57 2063744 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-04-25 09:34 . 2010-02-16 16:57 2021888 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-04-25 08:22 . 2010-04-25 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-04-24 21:14 . 2010-04-24 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-24 20:47 . 2010-04-24 20:47 -------- d-----w- C:\$AVG

2010-04-24 20:46 . 2010-04-24 20:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-24 20:46 . 2010-04-24 20:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-24 20:46 . 2010-04-24 20:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-24 20:46 . 2010-04-24 20:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-24 20:45 . 2010-04-28 06:51 -------- d-----w- c:\windows\system32\drivers\Avg

2010-04-24 20:43 . 2010-04-28 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-24 18:17 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-04-24 18:16 . 2010-04-24 18:16 -------- d-----w- c:\program files\Panda Security

2010-04-24 18:07 . 2010-04-24 18:07 -------- d-----w- c:\windows\McAfee.com

2010-04-24 17:33 . 2010-04-24 17:33 -------- d-----w- c:\documents and settings\Michel\Application Data\SMART Technologies Inc

2010-04-24 17:14 . 2010-04-24 17:14 -------- d-----w- c:\documents and settings\Simon\Application Data\SMART Technologies Inc

2010-04-24 17:07 . 2010-04-24 17:07 -------- d-----w- c:\documents and settings\Simon\Application Data\AccurateRip

2010-04-24 15:53 . 2010-04-24 15:53 163328 ----a-w- c:\windows\Unyhea.exe

2010-04-19 07:04 . 2010-04-19 07:04 -------- d-----w- c:\documents and settings\Johan\Local Settings\Application Data\WMTools Downloaded Files

2010-04-16 20:06 . 2010-04-16 20:06 1190379 ----a-w- c:\program files\calrepwin1.6.1.zip

2010-03-31 16:53 . 2010-03-31 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-28 08:07 . 2010-04-28 08:07 3920093 ----a-r- c:\program files\ComboFix.exe

2010-04-27 16:15 . 2010-04-27 16:15 -------- d-----w- c:\program files\MSBuild

2010-04-27 16:15 . 2010-04-27 16:15 -------- d-----w- c:\program files\Reference Assemblies

2010-04-26 19:22 . 2008-12-09 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-04-25 08:22 . 2009-06-26 06:52 -------- d-----w- c:\program files\Alwil Software

2010-04-24 20:43 . 2008-12-13 19:40 -------- d-----w- c:\program files\AVG

2010-04-24 17:46 . 2009-11-17 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SMART Technologies

2010-04-23 09:54 . 2009-03-24 08:55 -------- d-----w- c:\documents and settings\Johan\Application Data\U3

2010-04-20 22:00 . 2008-12-09 07:37 -------- d-----w- c:\program files\Google

2010-04-18 16:07 . 2009-03-24 15:45 -------- d-----w- c:\documents and settings\Simon\Application Data\U3

2010-04-15 15:17 . 2008-12-04 16:29 -------- d-----w- c:\program files\Aldfaer

2010-04-08 19:49 . 2010-03-21 11:12 -------- d-----w- c:\program files\MyHeritage

2010-04-08 19:49 . 2010-03-21 11:13 -------- d-----w- c:\program files\Family Toolbar

2010-03-31 16:54 . 2009-11-21 23:00 -------- d-----w- c:\program files\QuickTime

2010-03-24 09:47 . 2009-03-14 21:53 -------- d-----w- c:\documents and settings\Michel\Application Data\U3

2010-03-21 12:39 . 2010-03-21 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MyHeritage

2010-03-21 11:30 . 2010-03-21 11:30 -------- d-----w- c:\documents and settings\Simon\Application Data\MyHeritage

2010-03-21 11:17 . 2010-03-21 11:17 -------- d-----w- c:\documents and settings\Michel\Application Data\MyHeritage

2010-03-16 20:09 . 2009-01-30 19:31 -------- d-----w- c:\documents and settings\Judith\Application Data\U3

2010-03-11 11:49 . 2007-05-21 10:27 841216 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 11:49 . 2007-05-21 10:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 11:49 . 2007-05-21 10:35 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-10 21:17 . 2008-12-03 20:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-03-09 11:09 . 2007-05-21 10:27 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 12:48 . 2007-05-21 10:26 457216 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 17:35 . 2007-05-21 10:26 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 16:57 . 2007-02-28 11:16 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:36 . 2007-05-21 10:25 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 11:08 . 2007-05-21 10:27 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-03-18 10:37 . 2009-03-18 10:37 6122809 -c--a-w- c:\program files\myphotobook-Setup.exe

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"g:\\games\\AC\\AssassinsCreed_Dx9.exe"=

"g:\\games\\AC\\AssassinsCreed_Dx10.exe"=

"g:\\games\\AC\\AssassinsCreed_Launcher.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16611:TCP"= 16611:TCP:BitComet 16611 TCP

"16611:UDP"= 16611:UDP:BitComet 16611 UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [24/04/2010 20:17 28552]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/04/2010 22:46 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/04/2010 22:46 242896]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [20/10/2004 5:47 98304]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [24/04/2010 22:44 308064]

R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [20/10/2004 4:40 118784]

S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/01/2010 17:43 135664]

S3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\drivers\itexwana.sys [11/09/2001 11:15 432640]

S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 14:54 83208]

S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 14:54 15112]

S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 14:54 108680]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 14:54 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 14:54 98568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MWGNRKIO

*Deregistered* - mwgnrkio

.

Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-09 13:45]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 15:43]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 15:43]

2010-04-28 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2010-04-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2010-04-26 20:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ecosia.org/

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: dexia.be

Trusted Zone: google.be\www

Trusted Zone: informatsoftware.be

Trusted Zone: informatsoftware.be\www

FF - ProfilePath - c:\documents and settings\Michel\Application Data\Mozilla\Firefox\Profiles\5rcbfauh.default\

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "Firefox web browser | Faster, more secure, & customizable");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)

ShellIconOverlayIdentifiers-{EA38C044-22C9-4BF0-AC29-C8473353BB22} - (no file)

AddRemove-SmartDraw 2009 - c:\program files\SmartDraw 2009\Unwise.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-04-28 10:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•A~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\(–€|ÿÿÿÿg•€|é•A~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2232)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

.

**************************************************************************

.

Completion time: 2010-04-28 10:25:58 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-28 08:25

Pre-Run: 39.291.269.120 bytes free

Post-Run: 40.601.546.752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3F3957F45426B910618A1CA9A61FC278

HJT log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:29:55, on 28/04/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21228)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Ecosia

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263370399906

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263370354468

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5962/mcfscan.cab

O17 - HKLM\System\CS1\Services\Tcpip\..\{2BAB888F-205D-4DD8-84BB-D3A07FDD4E94}: NameServer = 193.74.208.65 194.119.228.67

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

--

End of file - 5881 bytes

Hopelijk is het nu in orde?

Gast
Dit topic is nu gesloten voor nieuwe reacties.
×
×
  • Nieuwe aanmaken...

Belangrijke informatie

We hebben cookies geplaatst op je toestel om deze website voor jou beter te kunnen maken. Je kunt de cookie instellingen aanpassen, anders gaan we er van uit dat het goed is om verder te gaan.