Virus: "Iemand publiceert foto's van jou"

[Elitejuser]

Ik heb het volledige stappenplan gevolgd, ik heb op mijn weten alle messengers die ik had (Msn, windows, Yahoo) van deze computer verwijderd :S

[Elitejuser]

Ik kan MSN Gaming Zone niet verwijderen;

"Kan MSN Gaming Zone niet verwijderen. De toegang is geweigerd.

Controlleer of de schijf vol of tegen schijven is beveiligd of dat het bestand momenteel in gebruik is"

[Elitejuser]

Logfile of HijackThis v1.99.1

Scan saved at 12:30:34, on 8-3-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\program files\valve\steam\steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\Grisoft\AVG7\avgwb.dat

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Maarten\Mijn documenten\HJT\Scan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\Maarten\LOCALS~1\Temp\services.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\Maarten\LOCALS~1\Temp\services.exe

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Elitejuser]

Ik heb opgevangen (leesde wat op het forum hier) dat McAffee goed zou zijn?

Het jammere daaraan is wel dat ik dan AVG van mijn computer moet verwijderen :S

[kape]

Hier zijn we ermee Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

F2 - REGystem.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUM E~1\Maarten\LOCALS~1\Temp\services.exe

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Flash Media] C:\DOCUME~1\Maarten\LOCALS~1\Temp\services.exe

O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab

Klik op 'Fix checked' om de items te verwijderen.

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

C:\Documents and Settings\Maarten\xowsmq.exe

C:\Documents and Settings\Maarten\pvyufs.exe

C:\WINDOWS\system32\RVAXO.bat

C:\WINDOWS\system32\remove.exe

C:\WINDOWS\system32\Restart.exe

C:\Documents and Settings\Maarten\psulve.exe

C:\WINDOWS\msdownld.tmp

C:\install.dat

Folder::

C:\RVAXO

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Download CCleaner

installeer het en start het op. Klik in de linkse kolom op “Opties” . Selecteer het tabblad ‘Geavanceerd’ en haal het vinkje weg voor “Verwijder alleen tijdelijke bestanden in de Windows systeemmap die ouder zijn dan 48 uur” en sluit hierna het programma. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'.

En laat dan AVG nog eens scannen om te bekijken of die nog iets kan vinden.

Post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw logje van HijackThis. Maar verwijder – vóór je een nieuw log van HiJackThis maakt – de huidige versie van HJT hier C:\Documents and Settings\Maarten\Mijn documenten\HJT\Scan.exe en download de meest recente versie hier.

[kape]

Ik heb opgevangen (leesde wat op het forum hier) dat McAffee goed zou zijn? Het jammere daaraan is wel dat ik dan AVG van mijn computer moet verwijderen

Als je een betalende antivirus wil is momenteel NOD32 een erg aangeprezen programma, maar ik zie niet echt in waarom je die (gratis) AVG zou verwijderen. Doet zijn werk normaal meer als goed genoeg. En alle commentaren over virusscanners zijn toch afhankelijk van de gebruiker ... de ene vindt dit goed en een ander dan weer dat. Als je alle forums afdweilt zal je van elk programma wel voor- en tegenstanders vinden. Alleen van Norton lees je meer kwaad dan goed, maar dat heeft vooral te maken met het feit dat het een systeemvreter is.

[Elitejuser]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:38:50, on 8-3-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\program files\valve\steam\steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Maarten\Mijn documenten\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Live Search:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\Maarten\LOCALS~1\Temp\services.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 6680 bytes

ComboFix 08-03-05.1 - Maarten 2008-03-08 16:28:43.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.32.1043.18.545 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Maarten\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Maarten\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::

C:\Documents and Settings\Maarten\psulve.exe

C:\Documents and Settings\Maarten\pvyufs.exe

C:\Documents and Settings\Maarten\xowsmq.exe

C:\install.dat

C:\WINDOWS\msdownld.tmp

C:\WINDOWS\system32\remove.exe

C:\WINDOWS\system32\Restart.exe

C:\WINDOWS\system32\RVAXO.bat

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Maarten\psulve.exe

C:\Documents and Settings\Maarten\pvyufs.exe

C:\Documents and Settings\Maarten\xowsmq.exe

C:\install.dat

C:\RVAXO

C:\RVAXO\results.log

C:\WINDOWS\system32\remove.exe

C:\WINDOWS\system32\Restart.exe

C:\WINDOWS\system32\RVAXO.bat

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))

.

2008-03-08 15:28 . 2008-03-08 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

2008-03-07 20:42 . 2008-03-08 16:27 <DIR> dr-h----- C:\Documents and Settings\Maarten\Onlangs geopend

2008-03-07 20:40 . 2008-03-07 20:40 <DIR> d-------- C:\Program Files\CCleaner

2008-03-06 10:21 . 2008-03-06 10:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-03-05 18:30 . 2008-03-05 18:30 <DIR> d--h----- C:\WINDOWS\PIF

2008-03-05 16:27 . 2008-03-07 23:06 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-20 15:35 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2008-02-20 15:34 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll

2008-02-20 15:33 . 2008-02-20 15:34 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2008-02-13 21:32 . 2008-02-13 21:32 <DIR> d-------- C:\Program Files\Rockstar Games

2008-02-13 21:32 . 2008-02-13 21:32 <DIR> d-------- C:\Program Files\directx

2008-02-13 14:08 . 2008-02-13 14:08 <DIR> d-------- C:\Documents and Settings\Maarten\Application Data\fizzy

2008-02-13 14:07 . 2008-02-13 14:07 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-02-13 14:07 . 2008-02-13 14:07 <DIR> d-------- C:\Program Files\Fizzy

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 15:25 --------- d-----w C:\Program Files\Windows Live Toolbar

2008-03-08 11:28 --------- d-----w C:\Program Files\Freeciv-2.0.9-gtk2

2008-03-08 10:58 --------- d-----w C:\Documents and Settings\Maarten\Application Data\AVG7

2008-03-07 21:41 --------- d-----w C:\Program Files\Yahoo!

2008-03-07 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-05 15:30 --------- d-----w C:\Program Files\Xvid

2008-03-05 15:30 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-03-05 15:30 --------- d-----w C:\Program Files\Lux

2008-03-05 15:30 --------- d-----w C:\Program Files\LimeWire

2008-03-05 15:30 --------- d-----w C:\Program Files\DivX

2008-03-01 12:09 --------- d-----w C:\Documents and Settings\Maarten\Application Data\LimeWire

2008-02-25 17:01 --------- d-----w C:\Program Files\iTunes

2008-02-25 17:01 --------- d-----w C:\Program Files\iPod

2008-02-25 17:00 --------- d-----w C:\Program Files\QuickTime

2008-02-13 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-09 15:42 --------- d-----w C:\Program Files\Hitman Pro

2008-02-09 12:33 --------- d-----w C:\Program Files\Freeciv-2.1.3-gtk2

.

((((((((((((((((((((((((((((( snapshot@2008-03-05_17.13.22,89 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-07-05 10:22:57 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-03-06 21:12:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2007-07-05 10:22:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat

+ 2008-03-06 21:12:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat

- 2007-07-05 10:22:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-03-06 21:12:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-12-25 13:29:03 58,732 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-03-07 21:47:50 58,732 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2007-12-25 13:29:03 76,786 ----a-w C:\WINDOWS\system32\perfc013.dat

+ 2008-03-07 21:47:50 76,786 ----a-w C:\WINDOWS\system32\perfc013.dat

- 2007-12-25 13:29:03 392,432 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-03-07 21:47:50 392,432 ----a-w C:\WINDOWS\system32\perfh009.dat

- 2007-12-25 13:29:03 455,944 ----a-w C:\WINDOWS\system32\perfh013.dat

+ 2008-03-07 21:47:50 455,944 ----a-w C:\WINDOWS\system32\perfh013.dat

- 2000-08-31 07:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe

+ 2008-01-03 18:47:58 49,152 ----a-w C:\WINDOWS\system32\VFind.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\valve\steam\steam.exe" [2007-11-30 15:54 1266936]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 12:18 579072]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 10:52 221184]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 14:56 219136]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

--a------ 2004-10-08 11:31 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

--a------ 2004-10-08 11:24 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

--a------ 2007-11-02 17:24 1065800 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]

-ra------ 2006-01-03 03:58 208896 C:\WINDOWS\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]

-ra------ 2006-01-03 03:59 69632 C:\WINDOWS\system32\sw24.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\stin0o\\counter-strike\\hl.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\counter-strike\\hl.exe"=

"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\day of defeat\\hl.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\ricochet\\hl.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\deathmatch classic\\hl.exe"=

"C:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=

"C:\\Program Files\\Valve\\Steam\\Steam.exe"=

"C:\\Program Files\\mIRC\\mirc.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\condition zero\\hl.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\condition zero deleted scenes\\hl.exe"=

"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=

"C:\\WINDOWS\\system32\\dpnsvr.exe"=

"C:\\WINDOWS\\system32\\dxdiag.exe"=

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"C:\\Program Files\\Freeciv-2.1.0-gtk2\\civserver.exe"=

"C:\\WINDOWS\\system32\\dplaysvr.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\counter-strike source\\hl2.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\half-life 2 deathmatch\\hl2.exe"=

"C:\\Program Files\\Valve\\Steam\\SteamApps\\elite_juser\\day of defeat source\\hl2.exe"=

"C:\\Program Files\\Freeciv-2.1.3-gtk2\\civserver.exe"=

"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civclient.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\DOCUME~1\\Maarten\\LOCALS~1\\Temp\\services.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 13:22]

R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 10:39]

R3 W8100PCI;PLANET WL-8313;C:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2004-01-19 04:09]

S3 CrystalSysInfo;CrystalSysInfo;C:\WINDOWS\system32\SysInfo.sys [2005-02-02 18:30]

.

Inhoud van de 'Gedeelde Taken' map

"2008-02-27 11:38:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-03-08 15:28:00 C:\WINDOWS\Tasks\Controleren op updates voor Windows Live Toolbar.job"

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-08 16:30:29

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

? [2744]

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

Voltooingstijd: 2008-03-08 16:30:53

ComboFix-quarantined-files.txt 2008-03-08 15:30:51

ComboFix2.txt 2008-03-07 22:15:22

ComboFix3.txt 2008-03-05 17:57:35

ComboFix4.txt 2008-03-05 16:42:24

ComboFix5.txt 2008-03-05 16:13:35

.

2008-02-13 20:56:39 --- E O F ---

Ik start nu een AVG scan.

[Elitejuser]

Dit vond AVG bij het scannen al na een paar seconden (zie bijlage)

[kape]

Dat zijn wijzigingen (change), geen besmettingen. Laat AVG maar zijn volledige taak doen en laat dan eens kijken wat ie zegt.

[Elitejuser]

Ik maak een nieuwe post + bijlage na het scannen, AVG heeft nog meer gevonden.

Ik weet dat wijzigingen zijn; maar ik heb ze niet gemaakt :S