Opgelost - Security tool en ihaupd32.exe fout

rclinden

Bekend gezicht
Vanmorgen gevangen door het security tool programma. PC is traag.
Even daarvoor na het opstarten een melding ontvangen om de java site te bezoeken. Die heb ik helaas genegeerd.
Heb systeemherstel geprobeerd maar dit zet niets terug. McAffee icoon is ook weg.
Met een andere pc nu aan het googelen en ik kwam op deze site terecht.
Geregistreerd en nu dus de hulp vraag.
Hoe kan ik dit aanpakken.??

Als ik de pc opstart verschijnt op het buroblad de foutmelding:
ihaupd32.exe is een fout opgetreden.

Rijk.:wall:
 

style1980

Gewaardeerd
Re: security tool en ihaupd32.exe fout

hallo rclinden,

Plaats maar even een HJTog, ga naar hoe een HJT log plaatsen en volg de stappen die daar staan.

Maar als ik het goed heb is dat het virut virus en dan ziter niks anders op dan een schone installatie. Maar WACHT daar maar even mee tot de Specialisten naar je logje hebben gekeken.

mvg bas
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Hallo Rijk, welkom op NationaalComputerForum\Virussen en spyware\Hijack This, Virussen en Spyware.

Ik zal je assisteren met het oplossen van de problemen in jouw Windows.
Graag gedurende deze fix geen veranderingen aanbrengen in je systeem (gebruik van andere scantools, updating Windows, installeren van programma's, bestanden verwijderen enz.), omdat dit kan interfereren met onze reparaties.
Ook wanneer de fix niet meteen tot resultaat leidt, geef feedback over hoe jouw Windows draait.


Stap 1
Download en installeer HijackThis Versie 2.03 (klik)
  • Installeer HijackThis op de aangegeven lokatie - alleen dan kan HijackThis back-ups maken!
  • N.B.: Gebruikers van Windows Vista en Windows 7 starten het tool middels rechtsklik en klikken dan op Als Administrator uitvoeren!
  • Sluit nu alle openstaane vensters en start vervolgens HijackThis en kies voor Do a system scan and save a logfile
  • Ga naar DDRMMR's kleurcodeerder (Klik)
  • Kopieer en plak de inhoud van de logfile in het venster en klik op de knop Converteer
  • Kopieer en plak de inhoud van de kleurcodeerder in je aansluitende bericht.


Stap 2
Download, installeer en blijf MBAM gebruiken (KLIK)
  • Al meteen na de installatie wil MBAM zijn database opwaarderen toestaan dus.
  • Ook bij herhaald gebruik: eerst MBAM updaten via de tab Update!
  • Start MBAM en kies voor Snelle Scan
  • N.B.: Vistagebruik(st)ers starten MBAM middels rechtsklikken en dan kiezen voor Als Administrator uitvoeren.
  • Het scannen kan een tijdje duren, dus wees geduldig.
  • Indien de scan voltooid is, klik dan op de knop OK
  • Klik daarna op de knop Bekijk Resultaten om de resultaten te zien.
  • Zorg ervoor, dat alles aangevinkt is.
  • Vervolgens klik je op: Verwijder geselecteerde .
  • Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.
  • Het log wordt automatisch bewaard door MBAM en dat kan je terugvinden door op de tab Logs te klikken in MBAM .
  • Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven dan telkens op OK klikken!
  • Daarna zal MBAM vragen om de Computer opnieuw op te starten - dus sta toe dat de computer opnieuw opgestart wordt.

Indien er de rootkit (TDSS) aanwezig is, zal MBAM ook vragen te herstarten. Doe dit dan ook.
MBAM zal dan na de herstart opnieuw scannen en de rootkit verwijderen.


Stap 3
Hierna post je de inhoud van de volgende logs:
  • een nieuw Hijackthis-log
  • MBAM scanlog
  • Tevens een Uninstall-lijst posten:
  • start HijackThis,
  • klik op de knop Open the Misc Tools section,
  • klik op de knop Open Uninstall Manager
  • Klik op de knop Save.
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Hallo Abraham,

Doet me denken aan een 54-jarige maar ik kan het mis hebben. (ps ik ben wel 54)
Fijn dat je hulp biedt. Al enkele malen heb ik de pc opgestart maar kom maar niet op internet.
Net weer gestart. De melding nu is : In nrktcvy.exe is een fout opgetreden en moet worden afgesloten. Met er half overheen melding met nrktcvy.exe.toepassingsfout. Hoe kom ik in vredesnaam met die pc weer op internet om te downloaden etc.????
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Hallo Rijk, ik ben inmiddels 2 jaar ouder dan jij; 54 staat voor mijn geboortejaar!

Het schijnt, dat je antivirus in ieder geval iets doet tegen de nesmetting.

Ook dat nrktcvy.exe is malware.

Je hebt de beschikking over een andere computer!

Heb je ook de beschikking over een lege CD-rom, zodat je daar in eerste plaats een aantal tools op kan branden?
Want een USB-stick is natuurlijk ook mogelijk, maar is makkelijk besmetbaar!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Hallo Rijk, ik ben inmiddels 2 jaar ouder dan jij; 54 staat voor mijn geboortejaar!

Het schijnt, dat je antivirus in ieder geval iets doet tegen de nesmetting.

Ook dat nrktcvy.exe is malware.

Je hebt de beschikking over een andere computer!

Heb je ook de beschikking over een lege CD-rom, zodat je daar in eerste plaats een aantal tools op kan branden?
Want een USB-stick is natuurlijk ook mogelijk, maar is makkelijk besmetbaar!
Bram,
Ik weet dat het een openbaar netwerk is. Abrahams onder elkaar maar ik zal u zeggen vanwege de 2 jaar leeftijdsverschil....:biggrin:
Een lege cdrom heb ik.
Een usb heb ik ook.
Maar tussen door heb ik toch wat zitten vlooien. Via TotalCommander kan ik vanaf de werkende pc (9jr oud) bestanden op mijn c schijf zetten. Heb net Hijackthis erop gezet. En zelfs kunnen installeren op de zieke pc.
Omdat er in de forums door jullie toch wordt geadviseerd niets te doen zonder jullie toestemming heb ik het HJthis nog niet gestart. Inmiddels ook het stappenplan voor dat progje op een ander tabblad open staan.

Vraag: doorgaan met DO a system scan and save a logfile??
Andere optie kan ook. Ik wacht beleefd.:meeting:
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Well, then don't wait and go for a scan and a logfile!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Daar is tie gelukkig met vele handelingen.

[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:46, on 6-4-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
c:\windows\system32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\windows\explorer.exe
c:\docume~1\peter\locals~1\temp\nrktcvy.exe
c:\windows\system32\regedit.exe
c:\documents and settings\peter\wuaucldt.exe
c:\windows\system32\svchost.exe
c:\windows\temp\hbh .exe
c:\windows\system32\svchost.exe
c:\program files\microsoft office\office12\onenotem.exe
c:\documents and settings\peter\menu start\programma's\opstarten\wwwwpt32.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\cmd.exe
c:\windows\system32\svchost.exe
c:\windows\system32\grouppolicy\user\scripts\logon\winlogo.exe
c:\windows\system32\ctsvccda.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\java\jre6\bin\jqs.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\windows\system32\svchost.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\program files\network associates\common framework\naprdmgr.exe
c:\windows\system32\peresvc.exe
c:\windows\system32\mspmspsv.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\temp\vrt12.tmp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\docume~1\peter\locals~1\temp\s0q6.exe
c:\windows\system32\svchost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\reader_s.exe
c:\windows\system32\svchost.exe
c:\program files\trend micro\hijackthis\hijackthis.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\lsass.exe

r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://tweakers.net/[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hkcu\software\microsoft\internet connection wizard,shellnext = [noparse]http://go.microsoft.com/fwlink/?linkid=74005[/noparse]
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername = koppelingen
f2 - reg:system.ini: shell=explorer.exe rundll32.exe syce.xto nqxwp
f3 - reg:win.ini: load=c:\windows\fonts\services.exe
f3 - reg:win.ini: run=c:\windows\fonts\services.exe
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: ipswitch.wsftpbrowserhelper - {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
o2 - bho: jqsiestartdetectorimpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
o4 - hklm\..\run: [7241] c:\docume~1\peter\locals~1\temp\nrktcvy.exe
o4 - hklm\..\run: [regedit32] c:\windows\system32\regedit.exe
o4 - hklm\..\policies\explorer\run: [exec] c:\windows\fonts\services.exe
o4 - hklm\..\policies\explorer\run: [vrna] c:\docume~1\peter\locals~1\temp\s0q6.exe
o4 - hkus\s-1-5-19\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'lokale service')
o4 - hkus\s-1-5-19\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'lokale service')
o4 - hkus\s-1-5-20\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'netwerkservice')
o4 - hkus\s-1-5-20\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'netwerkservice')
o4 - hkus\s-1-5-18\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'system')
o4 - hkus\s-1-5-18\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'system')
o4 - hkus\.default\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'default user')
o4 - hkus\.default\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'default user')
o4 - startup: ihaupd32.exe
o4 - startup: onenote 2007 schermopname en snel starten.lnk = c:\program files\microsoft office\office12\onenotem.exe
o4 - startup: wwwwpt32.exe
o8 - extra context menu item: e&xporteren naar microsoft excel - res://c:\progra~1\micros~2\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\micros~2\office12\refiebar.dll
o9 - extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o16 - dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} (sikn speler) - [noparse]http://www.kerkomroep.nl/ocx/siknplayer.cab[/noparse]
o16 - dpf: {f6acf75c-c32c-447b-9bef-46b766368d29} (creative software autoupdate support package) - [noparse]http://ccfiles.creative.com/web/softwareupdate/su2/ocx/15111/ctpid.cab[/noparse]
o20 - appinit_dlls: c:\windows\system32\kbdsock.dll
o20 - winlogon notify: cbssreg - c:\documents and settings\all users\documenten\settings\cbss.dll
o21 - ssodl: gootkitsso - {f90d0126-b018-485c-b46e-cf5d24137ae6} - c:\windows\system32\msxsltsso.dll
o23 - service: acronis scheduler2 service (acrsch2svc) - acronis - c:\program files\common files\acronis\schedule2\schedul2.exe
o23 - service: ati hotkey poller - ati technologies inc. - c:\windows\system32\ati2evxx.exe
o23 - service: creative audio engine licensing service - creative labs - c:\program files\common files\creative labs shared\service\ctaelicensing.exe
o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe
o23 - service: creative audio service (ctaudsvcservice) - creative technology ltd - c:\program files\creative\shared files\ctaudsvc.exe
o23 - service: java quick starter (javaquickstarterservice) - sun microsystems, inc. - c:\program files\java\jre6\bin\jqs.exe
o23 - service: mcafee framework service (mcafeeframework) - mcafee, inc. - c:\program files\network associates\common framework\frameworkservice.exe
o23 - service: network associates task manager (mctaskmanager) - network associates, inc. - c:\program files\network associates\virusscan\vstskmgr.exe
o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - c:\windows\system32\nvsvc32.exe
o23 - service: pdagent - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdagent.exe
o23 - service: pdengine - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdengine.exe
o23 - service: peresvc service (peresvc) - neto systems - c:\windows\system32\peresvc.exe
--
end of file - 8130 bytes

[/hjt]
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Hallo Rijk, werk aan de winkel!

Stap 1
Open een nieuw kladblok bestand. (Start\Alle programmas\Bureau-accessoires\Kladblok),
kopieer en plak vervolgens de (vetgedrukte, blauwe tekst) in een leeg venster:

@ECHO OFF

sc stop nrktcvy.exe
sc delete nrktcvy.exe
sc stop hbh .exe
sc delete hbh .exe
sc stop wwwwpt32.exe
sc delete wwwwpt32.exe
sc stop vrt12.tmp
sc delete vrt12.tmp
sc stop s0q6.exe
sc delete s0q6.exe
sc stop lsass.exe
sc delete lsass.exe

cls

exit



Ga naar Bestand - Opslaan als.
  • Bij Opslaan in kies je: Bureaublad
  • Bij Bestandsnaam zet je: service.bat
  • Bij Opslaan als type selecteer je: Alle bestanden (*.*)
  • Klik vervolgens op de knop Opslaan

Dubbelklik op service.bat op je bureaublad, er zal kortstondig een opdrachtpromptvenster verschijnen.
Hierna ga je meteen door naar Stap 2


Stap 2

Sluit alle openstaande vensters en start dan HijackThis en klik op de knop Do a Scan only

f2 - reg:system.ini: shell=explorer.exe rundll32.exe syce.xto nqxwp
f3 - reg:win.ini: load=c:\windows\fonts\services.exe
f3 - reg:win.ini: run=c:\windows\fonts\services.exe
o4 - hklm\..\run: [7241] c:\docume~1\peter\locals~1\temp\nrktcvy.exe
o4 - hklm\..\run: [regedit32] c:\windows\system32\regedit.exe
o4 - hklm\..\policies\explorer\run: [exec] c:\windows\fonts\services.exe
o4 - hklm\..\policies\explorer\run: [vrna] c:\docume~1\peter\locals~1\temp\s0q6.exe
o4 - startup: ihaupd32.exe
o4 - startup: wwwwpt32.exe
o20 - appinit_dlls: c:\windows\system32\kbdsock.dll
o20 - winlogon notify: cbssreg - c:\documents and settings\all users\documenten\settings\cbss.dll
o21 - ssodl: gootkitsso - {f90d0126-b018-485c-b46e-cf5d24137ae6} - c:\windows\system32\msxsltsso.dll
,
  • zet een vinkje voor die regel(s) welke met de bovenstaande regels corresponderen
  • vervolgens klik je daarna op de knop Fix checked

Sluit HijackThis na bovenstaande te hebben verwerkt en start je PC opnieuw op naar Veilige Modus


Stap 3
In veilige modus ga je in

C:\Windows\System32 de volgene bestanden handmatig verwijderen:
- kbdsock.dll
- msxsltsso.dll


Indien je daarna weer je normale bureaublad hebt bereikd, doe dan eerst het volgende:

Stap 4
De proxie-instellingen van Internet Explorer controleren\herstellen:

Ga via Start naar Configuratiescherm en klik op Internetopties; alternatief klik je inde menubalk van Internet Explorer op "Extra" in da kies je in het uitklapmenu voor Internetopties.
Klik vervolgens op de tab "Verbindingen" en klik daar op de knop "Lan-instellingen
Verwijder het vinkje bij "Een proxyserver voor het LAN-netwerk gebruiken"
Vervolgens zet je een vinkje bij "Instellingen automatisch detecteren"
Klik achtereenvolgens tweemaal op de knop "OK"; heb je deze instellingen via Internet Explorer veranderd, dan de browser afsluiten.


Stap 5
Download TFC naar je bureaublad (klick)
N.B.: Gebruikers van Windows Vista en Windows 7 starten het tool middels rechtsklik en daarbij dan kiezend voor Als Administrator uitvoeren!
  • Klik/dubbelklik op TFC.exe om het programma te starten.
  • Niet schrikken - het tool sluit alle lopende programma's - ergo: verzeker je dus ervan, dat je werk al is opgeslagen!
  • Vervolgens klik je op de knop Start om de scan te starten. Deze scan kan kort of langer duren, wees geduldig en laat TFC zijn taak doen en wacht to TFC klaaar is.
  • Indien TFC klaar is, dan komt de melding dat de computer opnieu opgestart wordt.
  • Gebeurt het afsluiten niet automatisch, start dan zelf de computer opnieuw op.
  • Noot: TFC vertoont geen log!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Volgende ronde???

Ik heb stappen 1 tm 5 hierboven uitgevoerd, dus inclusief opnieuw opstarten van de pc.
Het oude vertrouwde buroblad kwam weer naar voren.
Er verscheen het gele update icoon in de systemtray.
Niet kunnen zien of deze geheel is uitgevoerd.

Het buroblad bevat nu al mijn auto snelkoppelingen en er zijn er DRIE nieuwe bij.
1. Pornotube...
2. Nudetube.com
3. Youporn.com

Ik vind die snelkoppelingen niet interessant en vreemd dat ze er op staan. Dus ook NIET aangeklikt of gekeken waar ze aan gekoppeld zijn.

Vervolgens de internet explorer aangeklikt en er verschijnt:
Een dialoogvenster met opschrift "Malicious software removal tool"
links een uitroepteken in gele driehoek met daarnaast de tekst "Your computer can be infected with spying programs (spyware). It is recommended that you run a quick sytem check now."
Verder een OK en Annuleren button.

Ik heb dit scherm nu nog open staan en het lijkt mij verdacht veel op de security tool.
O ja de snelkoppeling van Security Tool staat nog op het buro blad. In de oude icoon uitvoering wit met blauwe dos balk erboven.

Hoe nu verder.......
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Graag een nieuw HJT-log!
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Via taakbeheer afsluiten!

Het is nu tijd om MBAM te downloaden en installeren en updaten en een scan laten doen!
Zie ook mijn eerste post!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Via taakbeheer afsluiten!

Het is nu tijd om MBAM te downloaden en installeren en updaten en een scan laten doen!
Zie ook mijn eerste post!
Bij toepassingen staat niets in taakbeheer.
Bij processen heel veel.
Welk proces afsluiten???
jqs.exe is vreemd voor mij staat ook niet op deze pc te draaien
naprdmgr.exe ook vreemd
pereSvc.exe ook vreemd
VRTD.temp ook vreemd
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Ik liep ook te hard van stapel - niks afsluiten - ik wil nu eerst een nieuw HJT-log!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Oke dat malicious scherm staat nog open.

Hier mijn logje
[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:14, on 6-4-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
c:\windows\system32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\windows\explorer.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\windows\system32\regedit.exe
c:\windows\system32\reader_s.exe
c:\documents and settings\peter\wuaucldt.exe
c:\windows\system32\svchost.exe
c:\documents and settings\peter\reader_s.exe
c:\program files\microsoft office\office12\onenotem.exe
c:\windows\system32\svchost.exe
c:\windows\system32\cmd.exe
c:\windows\system32\svchost.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\grouppolicy\user\scripts\logon\winlogo.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ctsvccda.exe
c:\program files\java\jre6\bin\jqs.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\network associates\common framework\naprdmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\windows\system32\peresvc.exe
c:\windows\system32\mspmspsv.exe
c:\windows\system32\svchost.exe
c:\windows\temp\vrtd.tmp
c:\windows\system32\rundll32.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\fonts\services.exe
c:\program files\trend micro\hijackthis\hijackthis.exe
c:\windows\system32\wbem\wmiprvse.exe

r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://tweakers.net/[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hkcu\software\microsoft\internet connection wizard,shellnext = [noparse]http://go.microsoft.com/fwlink/?linkid=74005[/noparse]
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername = koppelingen
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: ipswitch.wsftpbrowserhelper - {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
o2 - bho: jqsiestartdetectorimpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
o4 - hklm\..\run: [28252] c:\docume~1\peter\locals~1\temp\nrktcvy.exe
o4 - hklm\..\run: [regedit32] c:\windows\system32\regedit.exe
o4 - hklm\..\run: [syncman] c:\windows\system32\wuaucldt.exe
o4 - hklm\..\run: [reader_s] c:\windows\system32\reader_s.exe
o4 - hklm\..\run: [uxvefl] rundll32.exe c:\windows\system32\mssapsmr.dll,w
o4 - hklm\..\run: [adobe_reader] c:\program files\internet explorer\wmpscfgs.exe
o4 - hkcu\..\run: [syncman] c:\documents and settings\peter\wuaucldt.exe
o4 - hkcu\..\run: [reader_s] c:\documents and settings\peter\reader_s.exe
o4 - hklm\..\policies\explorer\run: [exec] c:\windows\fonts\services.exe
o4 - hklm\..\policies\explorer\run: [vrna] c:\windows\temp\s0q6.exe
o4 - hkus\s-1-5-19\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'lokale service')
o4 - hkus\s-1-5-19\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'lokale service')
o4 - hkus\s-1-5-20\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'netwerkservice')
o4 - hkus\s-1-5-20\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'netwerkservice')
o4 - hkus\s-1-5-18\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'system')
o4 - hkus\s-1-5-18\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'system')
o4 - hkus\.default\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'default user')
o4 - hkus\.default\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'default user')
o4 - startup: onenote 2007 schermopname en snel starten.lnk = c:\program files\microsoft office\office12\onenotem.exe
o4 - startup: wwwwpt32.exe
o8 - extra context menu item: e&xporteren naar microsoft excel - res://c:\progra~1\micros~2\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\micros~2\office12\refiebar.dll
o9 - extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o16 - dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} (sikn speler) - [noparse]http://www.kerkomroep.nl/ocx/siknplayer.cab[/noparse]
o16 - dpf: {f6acf75c-c32c-447b-9bef-46b766368d29} (creative software autoupdate support package) - [noparse]http://ccfiles.creative.com/web/softwareupdate/su2/ocx/15111/ctpid.cab[/noparse]
o20 - appinit_dlls: c:\windows\system32\kbdsock.dll
o20 - winlogon notify: cbssreg - c:\documents and settings\all users\documenten\settings\cbss.dll
o21 - ssodl: gootkitsso - {295591fa-15a9-40fb-b56e-a0bc42d49733} - c:\windows\system32\msxsltsso.dll
o23 - service: acronis scheduler2 service (acrsch2svc) - acronis - c:\program files\common files\acronis\schedule2\schedul2.exe
o23 - service: ati hotkey poller - ati technologies inc. - c:\windows\system32\ati2evxx.exe
o23 - service: creative audio engine licensing service - creative labs - c:\program files\common files\creative labs shared\service\ctaelicensing.exe
o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe
o23 - service: creative audio service (ctaudsvcservice) - creative technology ltd - c:\program files\creative\shared files\ctaudsvc.exe
o23 - service: java quick starter (javaquickstarterservice) - sun microsystems, inc. - c:\program files\java\jre6\bin\jqs.exe
o23 - service: mcafee framework service (mcafeeframework) - mcafee, inc. - c:\program files\network associates\common framework\frameworkservice.exe
o23 - service: network associates task manager (mctaskmanager) - network associates, inc. - c:\program files\network associates\virusscan\vstskmgr.exe
o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - c:\windows\system32\nvsvc32.exe
o23 - service: pdagent - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdagent.exe
o23 - service: pdengine - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdengine.exe
o23 - service: peresvc service (peresvc) - neto systems - c:\windows\system32\peresvc.exe
--
end of file - 8108 bytes

[/hjt]
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Hallo Rijk, doe het volgende:

Stap 1
Open een nieuw kladblok bestand. (Start\Alle programmas\Bureau-accessoires\Kladblok),
kopieer en plak vervolgens de (vetgedrukte, blauwe tekst) in een leeg venster:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"c:\windows\system32\reader_s.exe"
"c:\documents and settings\peter\reader_s.exe"
"c:\windows\system32\grouppolicy\user\scripts\logon \winlogo.exe"
"c:\windows\fonts\services.exe"
"c:\windows\temp\s0q6.exe"

) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted successfully>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt
DEL %0



Ga naar Bestand - Opslaan als.
  • Bij Opslaan in kies je: Bureaublad
  • Bij Bestandsnaam zet je: del.bat
  • Bij Opslaan als type selecteer je: Alle bestanden (*.*)
  • Klik vervolgens op de knop Opslaan


Stap 2
En daarna dit: download Combofix naar je bureaublad om jouw Windows te laten scannen (KLIK).

Ook belangrijk: hoe Combofix goed te gebruiken? (KLIK)
[*] Indien Combofix in de downloadmap van Vista/Windows 7 terechtkomt, verplaats dan Combofix eerst naar het bureaublad


Ergo: de volgende keer post je dus beide logs!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Allereerst Abraham wat een geweldige hulp en wat een geduld. Het straalt professionaliteit uit.
Het is nu laat. Ik ga zo slapen.
Hier mijn logje.
Bedankt alvast voor al je toewijding en geduld.
Geweldig.
Ik heb er vertrouwen in dat het goed komt.

[hjt]
combofix 10-04-05.06 - r.c. van der linden 06-04-2010 23:17:55.1.2 - x86
gestart vanuit: c:\documents and settings\peter\bureaublad\combofix.exe
.
(((((((((((((((((((((((((((((((((( andere verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\del.bat
c:\documents and settings\all users\application data\24996838
c:\documents and settings\all users\application data\24996838\24996838.exe
c:\documents and settings\all users\bureaublad\nudetube.com.lnk
c:\documents and settings\all users\bureaublad\pornotube.com.lnk
c:\documents and settings\all users\bureaublad\youporn.com.lnk
c:\documents and settings\all users\documenten\settings
c:\documents and settings\all users\documenten\settings\cbss.dll
c:\documents and settings\peter\application data\avdrn.dat
c:\documents and settings\peter\application data\wiaservg.log
c:\documents and settings\peter\bureaublad\security tool.lnk
c:\documents and settings\peter\menu start\programma's\opstarten\wwwwpt32.exe
c:\documents and settings\peter\reader_s .exe
c:\documents and settings\peter\reader_s.exe
c:\documents and settings\peter\rundll32.exe
c:\documents and settings\peter\wuaucldt .exe
c:\documents and settings\peter\wuaucldt.exe
c:\lsass.exe
c:\program files\adobe\acrotray .exe
c:\program files\install.log
c:\program files\internet explorer\js.mui
c:\program files\internet explorer\rasadhlp.dll
c:\program files\internet explorer\wmpscfgs .exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\protection system
c:\recycler\s-1-5-21-0863740699-8294275069-815605322-5342
c:\recycler\s-1-5-21-1192902075-4174688033-179230843-7112
c:\recycler\s-1-5-21-1665119533-1873345194-362338438-8566
c:\recycler\s-1-5-21-3541863818-0771419381-435515990-4952
c:\recycler\s-1-5-21-5607739380-0710123683-796702532-2721
c:\recycler\s-1-5-21-5645888814-8252360266-241047620-3406
c:\recycler\s-1-5-21-7038316017-6612796136-259008451-9802
c:\recycler\s-1-5-21-7523667604-4308254505-650256088-0263
c:\recycler\s-1-5-21-7973081229-1581602067-651433514-1036
c:\recycler\s-1-5-21-8027037173-9408009103-714557614-0688
c:\windows\esellerateengine.dll
c:\windows\fonts\mlog
c:\windows\fonts\services.exe
c:\windows\help\verifier.hlp
c:\windows\install.exe
c:\windows\install.txt
c:\windows\rolslgn.dll
c:\windows\sc.exe
c:\windows\sc.ins
c:\windows\system32\1115,534.exe
c:\windows\system32\134,9515.exe
c:\windows\system32\1348,062.exe
c:\windows\system32\1501,383.exe
c:\windows\system32\212,5186.exe
c:\windows\system32\2361,209.exe
c:\windows\system32\318,3693.exe
c:\windows\system32\3327,6.exe
c:\windows\system32\3773,767.exe
c:\windows\system32\3941,874.exe
c:\windows\system32\4027,368.exe
c:\windows\system32\4545,199.exe
c:\windows\system32\567.exe
c:\windows\system32\6511,805.exe
c:\windows\system32\674,96.exe
c:\windows\system32\7231,851.exe
c:\windows\system32\7348,856.exe
c:\windows\system32\7804,019.exe
c:\windows\system32\7960,421.exe
c:\windows\system32\7972,971.exe
c:\windows\system32\8104,654.exe
c:\windows\system32\8161,845.exe
c:\windows\system32\8371,851.exe
c:\windows\system32\8453,593.exe
c:\windows\system32\8719,125.exe
c:\windows\system32\8726,603.exe
c:\windows\system32\8838,718.exe
c:\windows\system32\8856,912.exe
c:\windows\system32\9561,533.exe
c:\windows\system32\btwsvc.dll
c:\windows\system32\cooper.mine
c:\windows\system32\ctfmon .exe
c:\windows\system32\finstall.sys
c:\windows\system32\install.txt
c:\windows\system32\kbdsock.dll
c:\windows\system32\kzp.4e
c:\windows\system32\ms.bin
c:\windows\system32\mshlps.dll
c:\windows\system32\mssapsmr.dll
c:\windows\system32\msxsltsso.dll
c:\windows\system32\nmklo.dll
c:\windows\system32\opear.exe
c:\windows\system32\peresvc.exe
c:\windows\system32\powerdes.exe
c:\windows\system32\reader_s .exe
c:\windows\system32\reader_s.exe
c:\windows\system32\regedit .exe
c:\windows\system32\regedit.exe
c:\windows\system32\rth.gde
c:\windows\system32\so.bin
c:\windows\system32\sshnas21.dll
c:\windows\system32\w.exe
c:\windows\system32\wuaucldt.exe
c:\windows\tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job
c:\windows\tasks\{66ba574b-1e11-49b8-909c-8cc9e0e8e015}.job
c:\windows\temp\mta13187.dll
besmet exemplaar van c:\windows\system32\userinit.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\userinit.exe
besmet exemplaar van c:\windows\system32\svchost.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\svchost.exe
besmet exemplaar van c:\windows\system32\spoolsv.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\spoolsv.exe
besmet exemplaar van c:\windows\explorer.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\explorer.exe
c:\windows\system32\drivers\ndis.sys . . . is genfecteerd!!
besmet exemplaar van c:\windows\system32\clipsrv.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\clipsrv.exe
.
((((((((((((((((((((((((((((((((((((((( drivers/services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\legacy_btwsvc
-------\legacy_sshnas
-------\service_btwsvc
-------\service_sshnas
-------\legacy_peresvc
-------\service_peresvc
(((((((((((((((((((( bestanden gemaakt van 2010-03-06 to 2010-04-06 ))))))))))))))))))))))))))))))
.
2010-04-06 21:08 . 2010-04-06 21:01 3908251 ----a-w- c:\combofix.exe
2010-04-06 17:11 . 2010-04-06 16:39 5918776 ----a-w- c:\mbam-setup.exe
2010-04-06 17:03 . 2010-04-06 17:03 -------- d-----w- c:\documents and settings\networkservice\local settings\application data\adobe
2010-04-06 16:41 . 2010-04-06 16:41 -------- d-----w- c:\program files\trend micro
2010-04-06 16:36 . 2010-04-06 16:28 812344 ----a-w- c:\hijackthisinstaller.exe
2010-04-06 15:37 . 2010-04-06 15:37 -------- d-----r- c:\documents and settings\networkservice\favorieten
2010-04-06 15:13 . 2010-04-06 15:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 15:06 . 2010-04-06 15:06 -------- d-----w- c:\documents and settings\administrator\application data\glarysoft
2010-04-06 15:05 . 2010-04-06 15:05 -------- d-----w- c:\documents and settings\administrator\application data\arcticline
2010-04-06 15:05 . 2010-04-06 15:05 -------- d-----w- c:\documents and settings\administrator\application data\ipswitch
2010-04-06 15:00 . 2010-04-06 15:00 -------- d-----w- c:\documents and settings\administrator\application data\office genuine advantage
2010-04-06 14:59 . 2010-04-06 14:59 -------- d-sh--w- c:\documents and settings\administrator\ietldcache
2010-04-06 14:36 . 2010-04-06 14:36 -------- d-----w- c:\windows\system32\grouppolicy
2010-04-06 14:35 . 2010-04-06 21:47 36864 ----a-w- c:\windows\system32\d.bin
2010-04-06 14:26 . 2010-04-06 14:26 -------- dc----w- c:\documents and settings\all users\application data\{74d08eb8-01d1-4bae-91e3-f30c1b031ac6}
2010-04-06 14:09 . 2010-04-06 14:42 -------- d-----w- c:\windows\system32\config\systemprofile\tracing
2010-04-06 14:09 . 2010-04-06 14:09 -------- d-----r- c:\documents and settings\localservice\favorieten
2010-04-06 14:08 . 2010-04-06 14:21 -------- d-----w- c:\documents and settings\all users\application data\30593626
2010-04-06 07:39 . 2010-04-06 07:39 -------- d-----w- c:\windows\system32\config\systemprofile\application data\ipswitch
2010-04-06 07:35 . 2010-04-06 07:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\privacie
2010-04-06 07:20 . 2010-04-06 07:20 -------- d-sh--w- c:\documents and settings\peter\.commgr
2010-04-06 07:20 . 2010-04-06 14:08 286720 ----a-w- c:\windows\system32\msup1.exe
2010-04-06 07:13 . 2010-04-06 07:13 -------- d-----w- c:\windows\sun
2010-04-01 15:54 . 2010-04-01 15:53 724992 ----a-w- c:\windows\iun6002.exe
2010-04-01 12:03 . 2010-04-01 12:03 -------- d-----w- c:\windows\system32\wbem\repository
2010-03-30 08:51 . 2010-04-06 20:35 -------- d--h--r- c:\documents and settings\peter\onlangs geopend
2010-03-27 20:37 . 2010-03-27 20:47 -------- d-----w- c:\mijn videos
2010-03-27 17:16 . 2008-07-10 10:00 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2010-03-27 17:14 . 2010-03-27 17:14 -------- d-----w- c:\windows\logs
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\uc.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\rar.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\pkzip.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\pkunzip.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\noclose.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\lha.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\arj.pif
2010-03-24 18:27 . 2010-03-24 18:27 -------- d-----w- c:\documents and settings\all users\application data\raxco
2010-03-24 18:26 . 2010-03-24 18:26 -------- d-----w- c:\program files\raxco
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\windows\system32\ageia
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\program files\ageia technologies
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\program files\common files\wise installation wizard
2010-03-19 20:26 . 2010-03-19 20:26 -------- d-----w- c:\documents and settings\all users\application data\digital aviation
2010-03-19 16:10 . 2010-03-19 16:10 15086 ----a-r- c:\documents and settings\peter\application data\microsoft\installer\{fb56079b-7d0c-4d1d-864a-09ba159cc31b}\arpproducticon.exe
2010-03-19 16:10 . 2010-03-19 16:10 -------- d-----w- c:\documents and settings\peter\application data\hifi
2010-03-19 16:09 . 2010-03-19 16:09 -------- d-----w- c:\windows\downloaded installations
2010-03-15 19:56 . 2010-03-15 19:56 -------- d-----w- c:\documents and settings\peter\local settings\application data\ghisler
2010-03-15 18:56 . 2010-03-15 18:56 -------- d-----w- c:\documents and settings\peter\local settings\application data\karen's power tools
2010-03-15 18:56 . 2010-03-15 18:56 -------- d-----w- c:\documents and settings\all users\application data\karen's power tools
2010-03-14 13:45 . 2010-04-02 10:37 -------- d-----w- c:\documents and settings\peter\local settings\application data\deployment
2010-03-13 16:36 . 2010-03-24 18:53 -------- d-----w- c:\documents and settings\peter\application data\dvdcss
2010-03-12 21:56 . 2010-04-04 18:26 -------- d-----w- c:\documents and settings\peter\application data\vlc
2010-03-12 17:12 . 2002-07-26 15:02 26000 ----a-w- c:\windows\system32\ctl3d.dll
2010-03-12 17:12 . 1998-07-05 22:00 14336 ----a-w- c:\windows\system32\mscomde.dll
2010-03-12 17:12 . 1998-05-04 22:00 24576 ----a-w- c:\windows\system32\cmct2de.dll
2010-03-09 16:44 . 2010-03-09 17:05 -------- d-----w- c:\documents and settings\peter\local settings\application data\mirillis
.
((((((((((((((((((((((((((((((((((((((( find3m rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 21:37 . 2010-04-06 21:37 36865 ----a-w- c:\windows\system32\msuqddft.dll
2010-04-06 21:37 . 2010-04-06 21:37 167554 ----a-w- c:\windows\system32\4201,166.exe
2010-04-06 21:36 . 2009-09-19 22:12 0 ----a-w- c:\windows\system32\drivers\
2010-04-06 21:26 . 2008-04-15 12:00 580096 ----a-w- c:\windows\system32\user32.dll
2010-04-06 16:01 . 2008-04-15 12:00 61952 ----a-w- c:\windows\system32\ctfmon.exe
2010-04-06 14:28 . 2008-12-21 00:14 155648 ----a-w- c:\windows\system32\wscript.exe
2010-04-06 14:28 . 2009-08-27 13:06 107008 ----a-w- c:\windows\system32\tlntsess.exe
2010-04-06 14:28 . 2009-06-15 11:14 104448 ----a-w- c:\windows\system32\telnet.exe
2010-04-06 14:27 . 2009-08-27 13:06 59904 ----a-w- c:\windows\system32\sc.exe
2010-04-06 14:27 . 2008-04-15 12:00 58368 ----a-w- c:\windows\system32\rundll32.exe
2010-04-06 14:26 . 2002-12-31 12:00 184320 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-06 14:26 . 2009-09-19 20:31 370176 ----a-w- c:\windows\system32\mspaint.exe
2010-04-06 14:26 . 2008-04-15 12:00 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 14:25 . 2008-04-15 12:00 539648 ----a-w- c:\windows\system32\logonui.exe
2010-04-06 14:25 . 2008-12-21 00:07 100864 ----a-w- c:\windows\system32\logagent.exe
2010-04-06 14:25 . 2008-04-15 12:00 175104 ----a-w- c:\windows\system32\imapi.exe
2010-04-06 14:24 . 2008-12-21 00:14 135168 ----a-w- c:\windows\system32\cscript.exe
2010-04-06 14:24 . 2008-04-15 12:00 424448 ----a-w- c:\windows\system32\cmd.exe
2010-04-06 14:24 . 2010-03-05 16:27 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-06 14:21 . 2000-06-26 06:44 77824 ----a-w- c:\windows\system32\mspmspsv.exe
2010-04-06 14:20 . 2010-02-24 12:12 68608 ----a-w- c:\windows\system32\ctsvccda.exe
2010-04-06 14:08 . 2010-04-06 14:08 28515 ----a-w- c:\documents and settings\peter\23.tmp
2010-04-06 14:08 . 2010-04-06 14:08 90112 ----a-w- c:\documents and settings\peter\22.tmp
2010-04-06 14:08 . 2010-04-06 14:08 168 ----a-w- c:\documents and settings\peter\1a.tmp
2010-04-06 14:07 . 2010-04-06 14:07 12 ----a-w- c:\windows\system32\config\systemprofile\application data\jvmoxh.dat
2010-04-06 07:47 . 2010-04-06 07:47 90112 ----a-w- c:\documents and settings\peter\4a.tmp
2010-04-06 07:47 . 2010-04-06 07:47 30208 ----a-w- c:\documents and settings\peter\49.tmp
2010-04-06 07:47 . 2010-04-06 07:47 29494 ----a-w- c:\documents and settings\peter\48.tmp
2010-04-06 07:47 . 2010-04-06 07:47 70144 ----a-w- c:\documents and settings\peter\47.tmp
2010-04-06 07:47 . 2010-04-06 07:47 23552 ----a-w- c:\documents and settings\peter\46.tmp
2010-04-06 07:47 . 2010-04-06 07:47 208 ----a-w- c:\documents and settings\peter\45.tmp
2010-04-06 07:46 . 2010-04-06 07:46 90112 ----a-w- c:\documents and settings\peter\3d.tmp
2010-04-06 07:46 . 2010-04-06 07:46 29494 ----a-w- c:\documents and settings\peter\3b.tmp
2010-04-06 07:46 . 2010-04-06 07:46 70144 ----a-w- c:\documents and settings\peter\3a.tmp
2010-04-06 07:46 . 2010-04-06 07:46 23552 ----a-w- c:\documents and settings\peter\39.tmp
2010-04-06 07:46 . 2010-04-06 07:46 208 ----a-w- c:\documents and settings\peter\38.tmp
2010-04-06 07:45 . 2010-04-06 07:45 90112 ----a-w- c:\documents and settings\peter\30.tmp
2010-04-06 07:45 . 2010-04-06 07:45 70144 ----a-w- c:\documents and settings\peter\2c.tmp
2010-04-06 07:45 . 2010-04-06 07:45 29494 ----a-w- c:\documents and settings\peter\2e.tmp
2010-04-06 07:45 . 2010-04-06 07:45 208 ----a-w- c:\documents and settings\peter\2a.tmp
2010-04-06 07:45 . 2010-04-06 07:45 90112 ----a-w- c:\documents and settings\peter\1f.tmp
2010-04-06 07:45 . 2010-04-06 07:45 70144 ----a-w- c:\documents and settings\peter\18.tmp
2010-04-06 07:45 . 2010-04-06 07:45 208 ----a-w- c:\documents and settings\peter\16.tmp
2010-04-06 07:38 . 2010-04-06 07:38 0 ----a-w- c:\documents and settings\peter\2d.tmp
2010-04-06 07:38 . 2010-04-06 07:38 90112 ----a-w- c:\documents and settings\peter\1e.tmp
2010-04-06 07:38 . 2010-04-06 07:38 29494 ----a-w- c:\documents and settings\peter\1c.tmp
2010-04-06 07:38 . 2010-04-06 07:38 70144 ----a-w- c:\documents and settings\peter\1b.tmp
2010-04-06 07:38 . 2010-04-06 07:38 208 ----a-w- c:\documents and settings\peter\19.tmp
2010-04-06 07:38 . 2010-04-06 07:38 90112 ----a-w- c:\documents and settings\peter\10.tmp
2010-04-06 07:37 . 2010-04-06 07:37 208 ----a-w- c:\documents and settings\peter\a.tmp
2010-04-06 07:34 . 2010-04-06 07:34 0 ----a-w- c:\documents and settings\peter\9.tmp
2010-04-06 07:20 . 2010-04-06 07:20 0 ----a-w- c:\documents and settings\peter\33.tmp
2010-04-06 07:20 . 2008-04-15 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-06 07:20 . 2010-04-06 07:20 12 ----a-w- c:\documents and settings\networkservice\application data\jvmoxh.dat
2010-04-05 16:17 . 2010-02-27 20:22 -------- d-----w- c:\documents and settings\peter\application data\utorrent
2010-03-28 09:21 . 2008-04-15 12:00 92112 ----a-w- c:\windows\system32\perfc013.dat
2010-03-28 09:21 . 2008-04-15 12:00 513150 ----a-w- c:\windows\system32\perfh013.dat
2010-03-27 19:14 . 2009-09-20 12:22 -------- d--h--w- c:\program files\installshield installation information
2010-03-25 15:01 . 2010-02-22 19:47 -------- d-----w- c:\program files\glary utilities
2010-03-23 11:51 . 2010-03-03 21:41 -------- d-----w- c:\documents and settings\peter\application data\belastingdienst
2010-03-17 18:57 . 2009-09-20 13:05 69280 ----a-w- c:\documents and settings\peter\local settings\application data\gdipfontcachev1.dat
2010-03-10 11:00 . 2010-03-05 16:01 -------- d-----w- c:\documents and settings\all users\application data\microsoft help
2010-03-09 19:42 . 2010-02-24 15:36 -------- d-----w- c:\documents and settings\all users\application data\lavasoft
2010-03-05 18:32 . 2010-03-05 18:32 -------- d-----w- c:\documents and settings\all users\application data\office genuine advantage
2010-03-05 18:32 . 2010-03-05 18:32 -------- d-----w- c:\documents and settings\peter\application data\office genuine advantage
2010-03-05 16:33 . 2009-09-19 20:44 -------- d-----w- c:\program files\microsoft works
2010-03-04 14:18 . 2010-03-04 14:18 -------- d-----w- c:\documents and settings\peter\application data\convivea
2010-03-04 13:14 . 2010-03-04 13:14 128 ----a-w- c:\documents and settings\peter\local settings\application data\fusioncache.dat
2010-03-02 21:45 . 2010-03-02 21:45 -------- d-----w- c:\documents and settings\peter\application data\installshield
2010-03-02 19:47 . 2010-03-02 19:47 -------- d-----w- c:\program files\common files\logitech
2010-03-02 19:47 . 2010-03-02 19:47 -------- d-----w- c:\program files\logitech
2010-02-28 14:10 . 2010-02-28 14:10 -------- d-----w- c:\documents and settings\peter\application data\teamspeak2
2010-02-27 20:16 . 2010-02-27 20:16 -------- d-----w- c:\documents and settings\peter\application data\arcticline
2010-02-26 20:59 . 2010-02-26 20:59 -------- d-----w- c:\program files\common files\creative labs shared
2010-02-26 20:58 . 2010-02-24 12:01 -------- d-----w- c:\program files\creative
2010-02-26 20:57 . 2010-02-26 20:49 288 ----a-w- c:\windows\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000004-10021102}.dat
2010-02-26 20:57 . 2010-02-26 20:49 288 ----a-w- c:\windows\system32\dvcstate-{00000002-00000000-0000000b-00001102-00000004-10021102}.dat
2010-02-26 20:57 . 2010-02-24 12:02 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-26 20:57 . 2010-02-24 12:02 109080 ----a-w- c:\windows\system32\openal32.dll
2010-02-26 18:55 . 2010-02-26 18:48 288 ----a-w- c:\windows\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000004-10001102}.dat
2010-02-26 16:09 . 2010-02-26 16:09 90 --sh--w- c:\windows\cnerolf.dat
2010-02-25 06:20 . 2009-06-29 16:15 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:55 . 2010-02-24 15:55 95024 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2010-02-24 15:02 . 2010-02-26 15:31 97364760 ----a-w- c:\ad-awareinstaller.exe
2010-02-24 12:17 . 2010-02-24 12:02 -------- d-----w- c:\documents and settings\peter\application data\creative
2010-02-24 12:13 . 2010-02-24 12:11 -------- d--h--w- c:\program files\creative installation information
2010-02-24 12:11 . 2010-02-24 12:11 -------- d-----w- c:\program files\common files\creative
2010-02-24 12:11 . 2010-02-24 12:10 6390815 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative soundfont bank manager web update ver 1.00.21__\sfbm_web_030909.exe
2010-02-24 12:10 . 2010-02-24 12:09 12907880 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative wavestudio 7.12.00__\wavestd_pcapp_lb_7_12_00.exe
2010-02-24 12:09 . 2010-02-24 12:07 37634288 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative mediasource 5 player_organizer 5.26.02__\cms5_pcapp_lb_5_26_02.exe
2010-02-24 12:05 . 2010-02-24 12:05 -------- d-----w- c:\documents and settings\all users\application data\creative
2010-02-23 15:58 . 2010-02-23 15:58 1392304 ----a-w- c:\windows\system32\autopartnt.exe
2010-02-23 15:51 . 2009-09-19 21:11 -------- d-----w- c:\program files\common files\acronis
2010-02-23 13:38 . 2010-02-23 13:38 -------- d-----w- c:\documents and settings\all users\application data\ati
2010-02-23 13:38 . 2010-02-23 13:38 -------- d-----w- c:\documents and settings\peter\application data\ati
2010-02-23 13:35 . 2010-02-23 13:34 -------- d-----w- c:\program files\ati technologies
2010-02-23 13:35 . 2010-02-23 13:35 0 ----a-w- c:\windows\ativpsrm.bin
2010-02-23 13:34 . 2010-02-23 13:34 10134 ----a-r- c:\documents and settings\peter\application data\microsoft\installer\{d679b939-2ff1-58de-40e0-4876f5c482a5}\arpproducticon.exe
2010-02-23 13:34 . 2010-02-23 13:34 -------- d-----w- c:\program files\ati
2010-02-23 11:25 . 2010-02-23 11:25 4096 ----a-w- c:\windows\d3dx.dat
.
infected c:\windows\system32\user32.dll hex repaired
Code:
[/b]<pre>
[color=teal]c:\program files\windows live\messenger\[/color][color=blue]msnmsgr .exe[/color]
</pre>[b]
------- sigcheck -------
[-] 2010-04-06 . 1df7f42665c94b825322fae71721130d . 212480 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-04-06 . 1df7f42665c94b825322fae71721130d . 212480 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-15 . 3ba30158909dd17f01c8f08ab6c95a8b . 82432 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[7] 2008-04-15 . db454135de1a09fe7feda7b554b5cca2 . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-15 . 666c9d8c5d9d04cfcd6be30e78e073e7 . 38912 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2008-04-15 . e410ec73e2be2a41d923b006f51c8427 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-15 . 632c57bb7345b3b35b084d4ffcb98174 . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[7] 2008-04-15 . 6818a533ed3b2fa9936df3daf45352df . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
[-] 2008-04-15 . ab869e1994749bb7b3b5996ea023a9a9 . 1061888 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-15 . aa04f042a820bf1868e643575887e1a6 . 1037312 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2009-09-12 . 497bef5c5fad126ca16437c1682f64ea . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2010-04-06 16:01 . 3a7e73de99a5624c904c57e737956f4a . 61952 . . [3.2.1203.2000] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-15 . e98a8c802cdb31fcf4121d9dfbea3677 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( reg opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
regedit4
[hkey_current_user\software\microsoft\windows\currentversion\run]
"syncman"=c:\documents and settings\peter\wuaucldt.exe [n/a]
[hkey_local_machine\software\microsoft\windows\currentversion\run]
"syncman"=c:\windows\system32\wuaucldt.exe [n/a]
"uxvefl"=c:\windows\system32\mssapsmr.dll [n/a]
"adobe_reader"=c:\program files\internet explorer\wmpscfgs.exe [n/a]
"fzwkht"=c:\windows\system32\msuqddft.dll [2010-04-06 36865]
[hkey_users\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe [2010-04-06 61952]
"msnmsgr"=c:\program files\windows live\messenger\msnmsgr.exe [2010-04-06 61952]
"syncman"=c:\documents and settings\peter\wuaucldt.exe [n/a]
[hkey_users\.default\software\microsoft\windows\currentversion\runonce]
"showdeskfix"="shell32" [x]
[hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run]
"vrna"=c:\windows\temp\s0q6.exe [2010-04-06 75264]
[hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer]
"forceclassiccontrolpanel"= 1 (0x1)
"nosmhelp"= 1 (0x1)
[hkey_local_machine\system\currentcontrolset\control\session manager]
bootexecute reg_multi_sz pdboot.exe\0autocheck autochk *
[hkey_local_machine\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1644491937-790525478-1177238915-1005\scripts\logon\0\0]
"script"=autorun.bat
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\acronis scheduler2 service]
2009-01-20 21:34 377232 ----a-w- c:\program files\common files\acronis\schedule2\schedhlp.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\acronistimountermonitor]
2009-01-20 21:45 960536 ----a-w- c:\program files\acronis\trueimagehome\timountermonitor.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\adobe\reader 9.0\reader\reader_sl.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2010-04-06 16:01 61952 ----a-w- c:\windows\system32\ctfmon.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\nerocheck.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
2009-09-19 21:10 149280 ----a-w- c:\program files\java\jre6\bin\jusched.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\trueimagemonitor.exe]
2009-01-20 21:06 4359280 ----a-w- c:\program files\acronis\trueimagehome\trueimagemonitor.exe
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
%windir%\\network diagnostic\\xpnetdiag.exe=
%windir%\\system32\\sessmgr.exe=
c:\\program files\\windows live\\messenger\\msnmsgr.exe=
c:\\program files\\network associates\\common framework\\frameworkservice.exe=
c:\\program files\\ipswitch\\ws_ftp pro\\wsftpgui.exe=
f:\\flight simulator 9\\fs9.exe=
c:\\windows\\system32\\dpnsvr.exe=
c:\\vliegsoft\\fsfdt\\fwinn\\fwinn.exe=
c:\\utorrent\\utorrent.exe=
c:\\program files\\microsoft office\\office12\\onenote.exe=
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"4899:tcp"= 4899:tcp:radmin
r3 commonfx;commonfx;c:\windows\system32\drivers\commonfx.sys [2009-06-23 99352]
r3 creative audio engine licensing service;creative audio engine licensing service;c:\program files\common files\creative labs shared\service\ctaelicensing.exe [2010-02-26 79360]
r3 ctaudfx;ctaudfx;c:\windows\system32\drivers\ctaudfx.sys [2009-06-23 555032]
r3 cterfxfx.sys;cterfxfx.sys;c:\windows\system32\drivers\cterfxfx.sys [2009-06-23 100888]
r3 cterfxfx;cterfxfx;c:\windows\system32\drivers\cterfxfx.sys [2009-06-23 100888]
r3 ctsblfx;ctsblfx;c:\windows\system32\drivers\ctsblfx.sys [2009-06-23 566296]
s1 naiavtdi1;naiavtdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-01-18 59904]
s2 btwsvc;btwsvc;c:\windows\system32\svchost.exe [2008-04-15 38912]
s2 peresvc;peresvc service;c:\windows\system32\peresvc.exe [2008-04-15 68608]
s3 commonfx.sys;commonfx.sys;c:\windows\system32\drivers\commonfx.sys [2009-06-23 99352]
s3 ctaudfx.sys;ctaudfx.sys;c:\windows\system32\drivers\ctaudfx.sys [2009-06-23 555032]
s3 ctgame;game port;c:\windows\system32\drivers\ctgame.sys [2009-06-23 18840]
s3 ctsblfx.sys;ctsblfx.sys;c:\windows\system32\drivers\ctsblfx.sys [2009-06-23 566296]
--- andere services/drivers in geheugen ---
*newlycreated* - btwsvc
*newlycreated* - peresvc
*deregistered* - jeorkj
.
inhoud van de 'gedeelde taken' map
2010-04-06 c:\windows\tasks\glaryinitialize.job
- c:\program files\glary utilities\initialize.exe [2010-02-22 12:03]
2010-04-06 c:\windows\tasks\ogalogon.job
- c:\windows\system32\ogaexec.exe [2009-08-03 14:07]
.
.
------- bijkomende scan -------
.
ustart page = hxxp://tweakers.net/
ie: e&xporteren naar microsoft excel - c:\progra~1\micros~2\office12\excel.exe/3000
dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} - hxxp://www.kerkomroep.nl/ocx/siknplayer.cab
.
- - - - orphans verwijderd - - - -
ssodl-gootkitsso-{7b35ad2c-0e4f-4861-af4c-ed793f45b589} - c:\windows\system32\msxsltsso.dll
addremove-nemeth designs md helicopters md902 explorer for fsx - g:\fsx\uninstall.exe
**************************************************************************
catchme 0.3.1398 w2k/xp/vista - rootkit/stealth malware detector by gmer, [noparse]http://www.gmer.net[/noparse]
rootkit scan 2010-04-06 23:37
windows 5.1.2600 service pack 3 ntfs
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
c:\windows\system32\drivers\zpbwmexmbthw9.sys 81408 bytes executable
c:\windows\system32\drivers\zrokkdxlpg5.sys 81408 bytes executable
c:\windows\system32\w.exe 92672 bytes executable
c:\windows\system32\ms.bin 35840 bytes executable
c:\windows\system32\msuqddft.dll 36865 bytes executable
c:\windows\system32\so.bin 44032 bytes executable
c:\windows\system32\4201,166.exe 167554 bytes executable
c:\windows\system32\3467.exe 61440 bytes executable
scan succesvol afgerond
verborgen bestanden: 8
**************************************************************************
stealth mbr rootkit/mebroot/sinowal detector 0.3.7 by gmer, [noparse]http://www.gmer.net[/noparse]
device: opened successfully
user: mbr read successfully
called modules: ntoskrnl.exe >>unknown [0x8a515580]<<
kernel: mbr read successfully
detected mbr rootkit hooks:
\driver\disk -> classpnp.sys @ 0xf765bf28
\driver\acpi -> acpi.sys @ 0xf75adcb8
\driver\atapi -> atapi.sys @ 0xba672852
iodeviceobjecttype -> deleteprocedure -> ntoskrnl.exe @ 0x805e66b6
parseprocedure -> ntoskrnl.exe @ 0x80580a6f
\device\harddisk0\dr0 -> deleteprocedure -> ntoskrnl.exe @ 0x805e66b6
parseprocedure -> ntoskrnl.exe @ 0x80580a6f
ndis: marvell yukon gigabit ethernet 10/100/1000base-t adapter, coppe -> sendcompletehandler -> ndis.sys @ 0x8a4fcbb0
packetindicatehandler -> ndis.sys @ 0x8a509a21
sendhandler -> ndis.sys @ 0x8a4e787b
user & kernel mbr ok
**************************************************************************
[hkey_local_machine\system\controlset001\services\zpbwmexmbthw9]
"imagepath"="system32\drivers\zpbwmexmbthw9.sys"
[hkey_local_machine\system\controlset001\services\zrokkdxlpg5]
"imagepath"="system32\drivers\zrokkdxlpg5.sys"
[hkey_local_machine\system\controlset001\services\jeorkj]
.
--------------------- vergrendelde register sleutels ---------------------
[hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\localsystem\components\}|}|9~*]
"3140110900063d11c8ef10054038389c"="c?\\windows\\system32\\fm20enu.dll"
.
--------------------- dlls geladen onder lopende processen ---------------------
- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\ati2evxx.dll
c:\windows\system32\atiadlxx.dll
- - - - - - - > 'explorer.exe'(5940)
c:\windows\system32\msuqddft.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ andere aktieve processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\ctsvccda.exe
c:\program files\java\jre6\bin\jqs.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\windows\system32\grouppolicy\user\scripts\logon\winlogo.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\program files\network associates\common framework\naprdmgr.exe
c:\windows\system32\mspmspsv.exe
c:\program files\microsoft office\office12\onenotem.exe
c:\windows\temp\vrt2.tmp
c:\windows\system32\w.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\3467.exe
.
**************************************************************************
.
voltooingstijd: 2010-04-06 23:44:19 - machine werd herstart
combofix-quarantined-files.txt 2010-04-06 21:44
pre-run: 30.817.796.096 bytes beschikbaar
post-run: 30.681.292.800 bytes beschikbaar
windowsxp-kb310994-sp2-home-bootdisk-nld.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\bootsect.dat="microsoft windows recovery console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\windows="microsoft windows xp professional" /noexecute=optin /fastdetect
- - end of file - - 219efe7cb0b7473470144e416f36c058

[/hjt]



EN nu hijacklog

[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:26, on 6-4-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
c:\windows\system32\smss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spoolsv.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\ctsvccda.exe
c:\program files\java\jre6\bin\jqs.exe
c:\windows\system32\cmd.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\windows\system32\grouppolicy\user\scripts\logon\winlogo.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\windows\system32\mspmspsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\microsoft office\office12\onenotem.exe
c:\windows\temp\vrt2.tmp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\w.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\peresvc.exe
c:\windows\system32\svchost.exe
c:\windows\temp\s0q6.exe
c:\windows\explorer.exe
c:\windows\system32\3467.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://tweakers.net/[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hkcu\software\microsoft\internet connection wizard,shellnext = [noparse]http://go.microsoft.com/fwlink/?linkid=74005[/noparse]
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername = koppelingen
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: ipswitch.wsftpbrowserhelper - {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
o2 - bho: jqsiestartdetectorimpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
o4 - hklm\..\run: [syncman] c:\windows\system32\wuaucldt.exe
o4 - hklm\..\run: [uxvefl] rundll32.exe c:\windows\system32\mssapsmr.dll,w
o4 - hklm\..\run: [adobe_reader] c:\program files\internet explorer\wmpscfgs.exe
o4 - hklm\..\run: [fzwkht] rundll32.exe c:\windows\system32\msuqddft.dll,w
o4 - hkcu\..\run: [syncman] c:\documents and settings\peter\wuaucldt.exe
o4 - hkus\s-1-5-18\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'system')
o4 - hkus\s-1-5-18\..\run: [msnmsgr] c:\program files\windows live\messenger\msnmsgr.exe /background (user 'system')
o4 - hkus\s-1-5-18\..\run: [syncman] c:\documents and settings\peter\wuaucldt.exe (user 'system')
o4 - hkus\s-1-5-18\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'system')
o4 - hkus\.default\..\run: [ctfmon.exe] c:\windows\system32\ctfmon.exe (user 'default user')
o4 - hkus\.default\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'default user')
o4 - startup: onenote 2007 schermopname en snel starten.lnk = c:\program files\microsoft office\office12\onenotem.exe
o8 - extra context menu item: e&xporteren naar microsoft excel - res://c:\progra~1\micros~2\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\micros~2\office12\refiebar.dll
o9 - extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o16 - dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} (sikn speler) - [noparse]http://www.kerkomroep.nl/ocx/siknplayer.cab[/noparse]
o16 - dpf: {f6acf75c-c32c-447b-9bef-46b766368d29} (creative software autoupdate support package) - [noparse]http://ccfiles.creative.com/web/softwareupdate/su2/ocx/15111/ctpid.cab[/noparse]
o23 - service: acronis scheduler2 service (acrsch2svc) - acronis - c:\program files\common files\acronis\schedule2\schedul2.exe
o23 - service: ati hotkey poller - ati technologies inc. - c:\windows\system32\ati2evxx.exe
o23 - service: creative audio engine licensing service - creative labs - c:\program files\common files\creative labs shared\service\ctaelicensing.exe
o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe
o23 - service: creative audio service (ctaudsvcservice) - creative technology ltd - c:\program files\creative\shared files\ctaudsvc.exe
o23 - service: java quick starter (javaquickstarterservice) - sun microsystems, inc. - c:\program files\java\jre6\bin\jqs.exe
o23 - service: mcafee framework service (mcafeeframework) - mcafee, inc. - c:\program files\network associates\common framework\frameworkservice.exe
o23 - service: network associates task manager (mctaskmanager) - network associates, inc. - c:\program files\network associates\virusscan\vstskmgr.exe
o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - c:\windows\system32\nvsvc32.exe
o23 - service: pdagent - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdagent.exe
o23 - service: pdengine - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdengine.exe
--
end of file - 6573 bytes

[/hjt]:wink:

en voor straks Welterusten
tot next time.
 

Abraham54

Administrator
Team lid
Re: security tool en ihaupd32.exe fout

Hallo Rijk, allereerstens het volgende:

Stap 1
Ga naar Start\Configuratiescherm\Software en verwijder daar
- Windows Live Messenger.

De bestanden zijn gecorrumpeerd, vandaar de denstallatie; als de fix klaar is, mag Live Messenger weer genstalleerd worden!


Stap 2
Open een nieuw kladblok bestand. (Start>Alle programmas>Bureau-accessoires>Kladblok),
kopieer en plak de volgende (vetgedrukte, blauwe tekst) in een leeg venster


File::
c:\windows\system32\d.bin
c:\windows\system32\msup1.exe
c:\windows\iun6002.exe
c:\windows\system32\msuqddft.dll
c:\windows\system32\4201,166.exe
c:\windows\system32\w.exe
c:\windows\system32\ms.bin
c:\windows\system32\so.bin
c:\windows\system32\4201,166.exe
c:\windows\system32\3467.exe

Folder::
c:\documents and settings\all users\application data\{74d08eb8-01d1-4bae-91e3-f30c1b031ac6}
c:\documents and settings\all users\application data\30593626
c:\documents and settings\peter\.commgr
c:\documents and settings\peter\23.tmp
c:\documents and settings\peter\22.tmp
c:\documents and settings\peter\1a.tmp
c:\windows\system32\config\systemprofile\applicati on data\jvmoxh.dat
c:\documents and settings\peter\4a.tmp
c:\documents and settings\peter\49.tmp
c:\documents and settings\peter\48.tmp
c:\documents and settings\peter\47.tmp
c:\documents and settings\peter\46.tmp
c:\documents and settings\peter\45.tmp
c:\documents and settings\peter\3d.tmp

Driver::
zpbwmexmbthw9.sys
zrokkdxlpg5.sys

Registry::
[hkey_local_machine\software\microsoft\windows\curr entversion\run]
"fzwkht"=c:\windows\system32\msuqddft.dll [2010-04-06 36865]
[hkey_local_machine\software\microsoft\windows\curr entversion\policies\explorer\run]
"vrna"=c:\windows\temp\s0q6.exe [2010-04-06 75264]
hkey_local_machine\system\controlset001\services\z pbwmexmbthw9]
"imagepath"="system32\drivers\zpbwmexmbthw9.sy s"
[hkey_local_machine\system\controlset001\services\z rokkdxlpg5]
"imagepath"="system32\drivers\zrokkdxlpg5.sys"



Ga naar Bestand - Opslaan als.
  • Bij Opslaan in kies je: Bureaublad
  • Bij Bestandsnaam zet je: CFScript.txt
  • Bij Opslaan als type selecteer je: Alle bestanden (*.*)
  • Klik vervolgens op de knop Opslaan


Nu eerst de antivirus deaktiveren!


Sleep CFScript.txt in ComboFix.exe




Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.


Post het Combofix log dat na het opnieuw starten wordt getoond!
 

rclinden

Bekend gezicht
Re: security tool en ihaupd32.exe fout

Goedenmiddag Abraham.

Gisteren tot 24 uur gewerkt en nu pas weer tijd voor deze klussen. Gisterochtend heb ik op de zieke pc wel MAM gedraaid en er waren 52 stuks te verwijderen. Ik hoop niet dat ik hiermee je plannen en werkwijze doorkruis. Ik had het misschien beter niet kunnen doen. Sorry en mijn oprechte excuus.

Voortbordurend op je laatste recept.
- Live Messenger niet kunnen vinden. Is volgens mij al verwijderd door MAM.
De combo fix uit gevoerd, en hieronder het rapport.

[hjt]
combofix 10-04-05.06 - r.c. van der linden 08-04-2010 11:17:47.2.2 - x86
gestart vanuit: c:\documents and settings\peter\bureaublad\combofix.exe
gebruikte opdracht switches :: c:\documents and settings\peter\bureaublad\cfscript.txt
file ::
c:\windows\iun6002.exe
c:\windows\system32\3467.exe
c:\windows\system32\4201,166.exe
c:\windows\system32\d.bin
c:\windows\system32\ms.bin
c:\windows\system32\msup1.exe
c:\windows\system32\msuqddft.dll
c:\windows\system32\so.bin
c:\windows\system32\w.exe
.
(((((((((((((((((((((((((((((((((( andere verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\all users\application data\{74d08eb8-01d1-4bae-91e3-f30c1b031ac6}
c:\documents and settings\peter\.commgr
c:\documents and settings\peter\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\peter\wuaucldt.exe
c:\windows\fonts\mlog
c:\windows\fonts\services.exe
c:\windows\install.txt
c:\windows\iun6002.exe
c:\windows\system32\2565,271.exe
c:\windows\system32\2887,827.exe
c:\windows\system32\3252,512.exe
c:\windows\system32\3424.exe
c:\windows\system32\4201,166.exe
c:\windows\system32\4652,963.exe
c:\windows\system32\4813,196.exe
c:\windows\system32\527,4147.exe
c:\windows\system32\5657,572.exe
c:\windows\system32\8088,19.exe
c:\windows\system32\8384,211.exe
c:\windows\system32\9253,962.exe
c:\windows\system32\9811,044.exe
c:\windows\system32\btwsvc.dll
c:\windows\system32\d.bin
c:\windows\system32\finstall.sys
c:\windows\system32\install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msup1.exe
c:\windows\system32\msuqddft.dll
c:\windows\system32\msxsltsso.dll
c:\windows\system32\opear.exe
c:\windows\system32\peresvc.exe
c:\windows\system32\powerdes.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\system32\wuaucldt.exe
c:\windows\system32\xinput1_2.dll
c:\windows\temp\mta13187.dll
besmet exemplaar van c:\windows\system32\userinit.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\userinit.exe
besmet exemplaar van c:\windows\system32\svchost.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\svchost.exe
besmet exemplaar van c:\windows\system32\spoolsv.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\spoolsv.exe
besmet exemplaar van c:\windows\explorer.exe werd aangetroffen en gedesinfecteerd
hersteld exemplaar van - c:\windows\system32\dllcache\explorer.exe
c:\windows\system32\drivers\ndis.sys . . . is genfecteerd!!
.
((((((((((((((((((((((((((((((((((((((( drivers/services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\legacy_btwsvc
-------\service_btwsvc
-------\legacy_peresvc
-------\service_peresvc
(((((((((((((((((((( bestanden gemaakt van 2010-03-08 to 2010-04-08 ))))))))))))))))))))))))))))))
.
2010-04-07 10:15 . 2010-04-07 10:15 -------- d-----w- c:\windows\5f022479b3944e6a98238dc4176db4ef.tmp
2010-04-07 09:43 . 2010-04-07 09:43 -------- d-----w- c:\documents and settings\peter\application data\malwarebytes
2010-04-07 09:43 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 09:43 . 2010-04-07 10:02 -------- d-----w- c:\malwarebytes' anti-malware
2010-04-07 09:43 . 2010-04-07 09:43 -------- d-----w- c:\documents and settings\all users\application data\malwarebytes
2010-04-07 09:43 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 21:08 . 2010-04-06 21:01 3908251 ----a-w- c:\combofix.exe
2010-04-06 17:11 . 2010-04-06 16:39 5918776 ----a-w- c:\mbam-setup.exe
2010-04-06 17:03 . 2010-04-06 17:03 -------- d-----w- c:\documents and settings\networkservice\local settings\application data\adobe
2010-04-06 16:41 . 2010-04-06 16:41 -------- d-----w- c:\program files\trend micro
2010-04-06 16:36 . 2010-04-06 16:28 812344 ----a-w- c:\hijackthisinstaller.exe
2010-04-06 15:37 . 2010-04-06 15:37 -------- d-----r- c:\documents and settings\networkservice\favorieten
2010-04-06 15:13 . 2010-04-06 15:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 15:06 . 2010-04-06 15:06 -------- d-----w- c:\documents and settings\administrator\application data\glarysoft
2010-04-06 15:05 . 2010-04-06 15:05 -------- d-----w- c:\documents and settings\administrator\application data\arcticline
2010-04-06 15:05 . 2010-04-06 15:05 -------- d-----w- c:\documents and settings\administrator\application data\ipswitch
2010-04-06 15:00 . 2010-04-06 15:00 -------- d-----w- c:\documents and settings\administrator\application data\office genuine advantage
2010-04-06 14:59 . 2010-04-06 14:59 -------- d-sh--w- c:\documents and settings\administrator\ietldcache
2010-04-06 14:36 . 2010-04-06 14:36 -------- d-----w- c:\windows\system32\grouppolicy
2010-04-06 14:09 . 2010-04-06 14:42 -------- d-----w- c:\windows\system32\config\systemprofile\tracing
2010-04-06 14:09 . 2010-04-06 14:09 -------- d-----r- c:\documents and settings\localservice\favorieten
2010-04-06 07:39 . 2010-04-06 07:39 -------- d-----w- c:\windows\system32\config\systemprofile\application data\ipswitch
2010-04-06 07:35 . 2010-04-06 07:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\privacie
2010-04-06 07:13 . 2010-04-06 07:13 -------- d-----w- c:\windows\sun
2010-04-01 12:03 . 2010-04-01 12:03 -------- d-----w- c:\windows\system32\wbem\repository
2010-03-30 08:51 . 2010-04-08 09:12 -------- d--h--r- c:\documents and settings\peter\onlangs geopend
2010-03-27 20:37 . 2010-03-27 20:47 -------- d-----w- c:\mijn videos
2010-03-27 17:16 . 2008-07-10 10:00 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2010-03-27 17:14 . 2010-03-27 17:14 -------- d-----w- c:\windows\logs
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\uc.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\rar.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\pkzip.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\pkunzip.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\noclose.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\lha.pif
2010-03-27 14:52 . 2009-09-24 06:50 545 ----a-w- c:\windows\arj.pif
2010-03-24 18:27 . 2010-03-24 18:27 -------- d-----w- c:\documents and settings\all users\application data\raxco
2010-03-24 18:26 . 2010-03-24 18:26 -------- d-----w- c:\program files\raxco
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\windows\system32\ageia
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\program files\ageia technologies
2010-03-24 13:50 . 2010-03-24 13:50 -------- d-----w- c:\program files\common files\wise installation wizard
2010-03-19 20:26 . 2010-03-19 20:26 -------- d-----w- c:\documents and settings\all users\application data\digital aviation
2010-03-19 16:10 . 2010-03-19 16:10 15086 ----a-r- c:\documents and settings\peter\application data\microsoft\installer\{fb56079b-7d0c-4d1d-864a-09ba159cc31b}\arpproducticon.exe
2010-03-19 16:10 . 2010-03-19 16:10 -------- d-----w- c:\documents and settings\peter\application data\hifi
2010-03-19 16:09 . 2010-03-19 16:09 -------- d-----w- c:\windows\downloaded installations
2010-03-15 19:56 . 2010-03-15 19:56 -------- d-----w- c:\documents and settings\peter\local settings\application data\ghisler
2010-03-15 18:56 . 2010-03-15 18:56 -------- d-----w- c:\documents and settings\peter\local settings\application data\karen's power tools
2010-03-15 18:56 . 2010-03-15 18:56 -------- d-----w- c:\documents and settings\all users\application data\karen's power tools
2010-03-14 13:45 . 2010-04-02 10:37 -------- d-----w- c:\documents and settings\peter\local settings\application data\deployment
2010-03-13 16:36 . 2010-03-24 18:53 -------- d-----w- c:\documents and settings\peter\application data\dvdcss
2010-03-12 21:56 . 2010-04-04 18:26 -------- d-----w- c:\documents and settings\peter\application data\vlc
2010-03-12 17:12 . 2002-07-26 15:02 26000 ----a-w- c:\windows\system32\ctl3d.dll
2010-03-12 17:12 . 1998-07-05 22:00 14336 ----a-w- c:\windows\system32\mscomde.dll
2010-03-12 17:12 . 1998-05-04 22:00 24576 ----a-w- c:\windows\system32\cmct2de.dll
2010-03-09 16:44 . 2010-03-09 17:05 -------- d-----w- c:\documents and settings\peter\local settings\application data\mirillis
.
((((((((((((((((((((((((((((((((((((((( find3m rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 21:26 . 2008-04-15 12:00 580096 ------w- c:\windows\system32\user32.dll
2010-04-06 14:28 . 2008-12-21 00:14 155648 ----a-w- c:\windows\system32\wscript.exe
2010-04-06 14:28 . 2009-08-27 13:06 107008 ----a-w- c:\windows\system32\tlntsess.exe
2010-04-06 14:28 . 2009-06-15 11:14 104448 ----a-w- c:\windows\system32\telnet.exe
2010-04-06 14:27 . 2009-08-27 13:06 59904 ----a-w- c:\windows\system32\sc.exe
2010-04-06 14:27 . 2008-04-15 12:00 58368 ----a-w- c:\windows\system32\rundll32.exe
2010-04-06 14:26 . 2002-12-31 12:00 184320 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-06 14:26 . 2009-09-19 20:31 370176 ----a-w- c:\windows\system32\mspaint.exe
2010-04-06 14:26 . 2008-04-15 12:00 103424 ----a-w- c:\windows\system32\msiexec.exe
2010-04-06 14:25 . 2008-04-15 12:00 539648 ----a-w- c:\windows\system32\logonui.exe
2010-04-06 14:25 . 2008-12-21 00:07 100864 ----a-w- c:\windows\system32\logagent.exe
2010-04-06 14:25 . 2008-04-15 12:00 175104 ----a-w- c:\windows\system32\imapi.exe
2010-04-06 14:24 . 2008-12-21 00:14 135168 ----a-w- c:\windows\system32\cscript.exe
2010-04-06 14:24 . 2008-04-15 12:00 424448 ----a-w- c:\windows\system32\cmd.exe
2010-04-06 14:24 . 2010-03-05 16:27 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-06 14:21 . 2000-06-26 06:44 77824 ----a-w- c:\windows\system32\mspmspsv.exe
2010-04-06 14:20 . 2010-02-24 12:12 68608 ----a-w- c:\windows\system32\ctsvccda.exe
2010-04-06 14:08 . 2010-04-06 14:08 28515 ----a-w- c:\documents and settings\peter\23.tmp
2010-04-06 14:08 . 2010-04-06 14:08 168 ----a-w- c:\documents and settings\peter\1a.tmp
2010-04-06 14:07 . 2010-04-06 14:07 12 ----a-w- c:\windows\system32\config\systemprofile\application data\jvmoxh.dat
2010-04-06 07:47 . 2010-04-06 07:47 70144 ----a-w- c:\documents and settings\peter\47.tmp
2010-04-06 07:47 . 2010-04-06 07:47 208 ----a-w- c:\documents and settings\peter\45.tmp
2010-04-06 07:46 . 2010-04-06 07:46 70144 ----a-w- c:\documents and settings\peter\3a.tmp
2010-04-06 07:46 . 2010-04-06 07:46 208 ----a-w- c:\documents and settings\peter\38.tmp
2010-04-06 07:45 . 2010-04-06 07:45 70144 ----a-w- c:\documents and settings\peter\2c.tmp
2010-04-06 07:45 . 2010-04-06 07:45 208 ----a-w- c:\documents and settings\peter\2a.tmp
2010-04-06 07:45 . 2010-04-06 07:45 70144 ----a-w- c:\documents and settings\peter\18.tmp
2010-04-06 07:45 . 2010-04-06 07:45 208 ----a-w- c:\documents and settings\peter\16.tmp
2010-04-06 07:38 . 2010-04-06 07:38 0 ----a-w- c:\documents and settings\peter\2d.tmp
2010-04-06 07:38 . 2010-04-06 07:38 70144 ----a-w- c:\documents and settings\peter\1b.tmp
2010-04-06 07:38 . 2010-04-06 07:38 208 ----a-w- c:\documents and settings\peter\19.tmp
2010-04-06 07:37 . 2010-04-06 07:37 208 ----a-w- c:\documents and settings\peter\a.tmp
2010-04-06 07:34 . 2010-04-06 07:34 0 ----a-w- c:\documents and settings\peter\9.tmp
2010-04-06 07:20 . 2010-04-06 07:20 0 ----a-w- c:\documents and settings\peter\33.tmp
2010-04-06 07:20 . 2008-04-15 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-06 07:20 . 2010-04-06 07:20 12 ----a-w- c:\documents and settings\networkservice\application data\jvmoxh.dat
2010-04-05 16:17 . 2010-02-27 20:22 -------- d-----w- c:\documents and settings\peter\application data\utorrent
2010-03-28 09:21 . 2008-04-15 12:00 92112 ----a-w- c:\windows\system32\perfc013.dat
2010-03-28 09:21 . 2008-04-15 12:00 513150 ----a-w- c:\windows\system32\perfh013.dat
2010-03-27 19:14 . 2009-09-20 12:22 -------- d--h--w- c:\program files\installshield installation information
2010-03-25 15:01 . 2010-02-22 19:47 -------- d-----w- c:\program files\glary utilities
2010-03-23 11:51 . 2010-03-03 21:41 -------- d-----w- c:\documents and settings\peter\application data\belastingdienst
2010-03-17 18:57 . 2009-09-20 13:05 69280 ----a-w- c:\documents and settings\peter\local settings\application data\gdipfontcachev1.dat
2010-03-10 11:00 . 2010-03-05 16:01 -------- d-----w- c:\documents and settings\all users\application data\microsoft help
2010-03-09 19:42 . 2010-02-24 15:36 -------- d-----w- c:\documents and settings\all users\application data\lavasoft
2010-03-05 18:32 . 2010-03-05 18:32 -------- d-----w- c:\documents and settings\all users\application data\office genuine advantage
2010-03-05 18:32 . 2010-03-05 18:32 -------- d-----w- c:\documents and settings\peter\application data\office genuine advantage
2010-03-05 16:33 . 2009-09-19 20:44 -------- d-----w- c:\program files\microsoft works
2010-03-04 14:18 . 2010-03-04 14:18 -------- d-----w- c:\documents and settings\peter\application data\convivea
2010-03-04 13:14 . 2010-03-04 13:14 128 ----a-w- c:\documents and settings\peter\local settings\application data\fusioncache.dat
2010-03-02 21:45 . 2010-03-02 21:45 -------- d-----w- c:\documents and settings\peter\application data\installshield
2010-03-02 19:47 . 2010-03-02 19:47 -------- d-----w- c:\program files\common files\logitech
2010-03-02 19:47 . 2010-03-02 19:47 -------- d-----w- c:\program files\logitech
2010-02-28 14:10 . 2010-02-28 14:10 -------- d-----w- c:\documents and settings\peter\application data\teamspeak2
2010-02-27 20:16 . 2010-02-27 20:16 -------- d-----w- c:\documents and settings\peter\application data\arcticline
2010-02-26 20:59 . 2010-02-26 20:59 -------- d-----w- c:\program files\common files\creative labs shared
2010-02-26 20:58 . 2010-02-24 12:01 -------- d-----w- c:\program files\creative
2010-02-26 20:57 . 2010-02-26 20:49 288 ----a-w- c:\windows\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000004-10021102}.dat
2010-02-26 20:57 . 2010-02-26 20:49 288 ----a-w- c:\windows\system32\dvcstate-{00000002-00000000-0000000b-00001102-00000004-10021102}.dat
2010-02-26 20:57 . 2010-02-24 12:02 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-26 20:57 . 2010-02-24 12:02 109080 ----a-w- c:\windows\system32\openal32.dll
2010-02-26 18:55 . 2010-02-26 18:48 288 ----a-w- c:\windows\system32\dvcstatebkp-{00000002-00000000-0000000b-00001102-00000004-10001102}.dat
2010-02-26 16:09 . 2010-02-26 16:09 90 --sh--w- c:\windows\cnerolf.dat
2010-02-25 06:20 . 2009-06-29 16:15 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 15:55 . 2010-02-24 15:55 95024 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2010-02-24 15:02 . 2010-02-26 15:31 97364760 ----a-w- c:\ad-awareinstaller.exe
2010-02-24 12:17 . 2010-02-24 12:02 -------- d-----w- c:\documents and settings\peter\application data\creative
2010-02-24 12:13 . 2010-02-24 12:11 -------- d--h--w- c:\program files\creative installation information
2010-02-24 12:11 . 2010-02-24 12:11 -------- d-----w- c:\program files\common files\creative
2010-02-24 12:11 . 2010-02-24 12:10 6390815 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative soundfont bank manager web update ver 1.00.21__\sfbm_web_030909.exe
2010-02-24 12:10 . 2010-02-24 12:09 12907880 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative wavestudio 7.12.00__\wavestd_pcapp_lb_7_12_00.exe
2010-02-24 12:09 . 2010-02-24 12:07 37634288 ----a-w- c:\documents and settings\all users\application data\creative\software update\cache\creative mediasource 5 player_organizer 5.26.02__\cms5_pcapp_lb_5_26_02.exe
2010-02-24 12:05 . 2010-02-24 12:05 -------- d-----w- c:\documents and settings\all users\application data\creative
2010-02-23 15:58 . 2010-02-23 15:58 1392304 ----a-w- c:\windows\system32\autopartnt.exe
2010-02-23 15:51 . 2009-09-19 21:11 -------- d-----w- c:\program files\common files\acronis
2010-02-23 13:38 . 2010-02-23 13:38 -------- d-----w- c:\documents and settings\all users\application data\ati
2010-02-23 13:38 . 2010-02-23 13:38 -------- d-----w- c:\documents and settings\peter\application data\ati
2010-02-23 13:35 . 2010-02-23 13:34 -------- d-----w- c:\program files\ati technologies
2010-02-23 13:35 . 2010-02-23 13:35 0 ----a-w- c:\windows\ativpsrm.bin
2010-02-23 13:34 . 2010-02-23 13:34 10134 ----a-r- c:\documents and settings\peter\application data\microsoft\installer\{d679b939-2ff1-58de-40e0-4876f5c482a5}\arpproducticon.exe
2010-02-23 13:34 . 2010-02-23 13:34 -------- d-----w- c:\program files\ati
2010-02-23 11:25 . 2010-02-23 11:25 4096 ----a-w- c:\windows\d3dx.dat
2010-02-23 10:57 . 2009-09-19 20:35 86327 ----a-w- c:\windows\pchealth\helpctr\offlinecache\index.dat
2010-02-22 22:13 . 2009-09-19 20:50 -------- d-----w- c:\program files\common files\adobe
2010-02-22 21:52 . 2010-02-22 21:52 60416 ----a-w- c:\windows\alcfdrtm.exe
2010-02-22 19:49 . 2010-02-22 19:49 -------- d-----w- c:\documents and settings\peter\application data\glarysoft
2010-02-14 11:30 . 2010-02-14 11:30 -------- d-----w- c:\program files\marvell
2010-02-14 11:30 . 2009-09-19 21:31 -------- d-----w- c:\program files\common files\installshield
2010-02-14 11:28 . 2010-02-14 11:28 -------- d-----w- c:\program files\avrack
2010-02-14 11:28 . 2010-02-14 11:28 -------- d-----w- c:\program files\intel
2010-02-12 19:26 . 2010-02-12 19:26 -------- d-----w- c:\documents and settings\all users\application data\uab
2010-02-12 19:26 . 2010-02-12 19:26 -------- d-----w- c:\documents and settings\all users\application data\driver whiz
2010-02-12 19:24 . 2010-02-12 19:24 -------- d-----w- c:\program files\driver whiz
2010-02-04 09:01 . 2010-03-27 17:17 74072 ----a-w- c:\windows\system32\xapofx1_4.dll
2010-02-04 09:01 . 2010-03-27 17:17 528216 ----a-w- c:\windows\system32\xaudio2_6.dll
2010-02-04 09:01 . 2010-03-27 17:17 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 09:01 . 2010-03-27 17:17 22360 ----a-w- c:\windows\system32\x3daudio1_7.dll
2010-02-03 04:52 . 2010-02-23 13:34 4605952 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-02-03 04:12 . 2010-02-23 13:34 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-03 04:12 . 2010-02-23 13:34 45056 ----a-w- c:\windows\system32\aticalcl.dll
.
Code:
[/b]<pre>
[color=teal]c:\program files\windows live\messenger\[/color][color=blue]msnmsgr .exe[/color]
</pre>[b]
------- sigcheck -------
[-] 2010-04-06 . 1df7f42665c94b825322fae71721130d . 212480 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-04-06 . 1df7f42665c94b825322fae71721130d . 212480 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-15 . c3d955b7a13e8add6fd83002fcb7e8dd . 82432 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[7] 2008-04-15 . db454135de1a09fe7feda7b554b5cca2 . 57856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2008-04-15 . b49a145665b5d5a383ddcb4892e53a81 . 38912 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2008-04-15 . e410ec73e2be2a41d923b006f51c8427 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
[-] 2008-04-15 . 3c0a5b0eb4e14b69d83e9079c379a404 . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[7] 2008-04-15 . 6818a533ed3b2fa9936df3daf45352df . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
[-] 2008-04-15 . cf32276155b99f105a2d0f771575a474 . 1061888 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-15 . aa04f042a820bf1868e643575887e1a6 . 1037312 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2009-09-12 . 497bef5c5fad126ca16437c1682f64ea . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[7] 2008-04-15 . e98a8c802cdb31fcf4121d9dfbea3677 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
c:\windows\system32\ctfmon.exe ... is niet aanwezig !!
.
((((((((((((((((((((((((((((( snapshot@2010-04-06_21.37.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-08 09:34 . 2010-04-08 09:34 16384 c:\windows\temp\perflib_perfdata_1d4.dat
- 2010-04-06 19:32 . 2010-04-06 21:36 32768 c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
+ 2010-04-06 19:32 . 2010-04-08 09:34 32768 c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
+ 2009-09-19 20:42 . 2010-04-08 09:34 32768 c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\index.dat
- 2009-09-19 20:42 . 2010-04-06 21:36 32768 c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\index.dat
+ 2009-09-19 20:42 . 2010-04-08 09:34 32768 c:\windows\system32\config\systemprofile\cookies\index.dat
- 2009-09-19 20:42 . 2010-04-06 21:36 32768 c:\windows\system32\config\systemprofile\cookies\index.dat
+ 2010-04-07 10:15 . 2010-04-07 10:15 61457 c:\windows\5f022479b3944e6a98238dc4176db4ef.tmp\wisecustomcalla.dll
.
((((((((((((((((((((((((((((((((((((( reg opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
regedit4
[hkey_local_machine\software\microsoft\windows\currentversion\run]
"uxvefl"=c:\windows\system32\mssapsmr.dll [n/a]
"fzwkht"=c:\windows\system32\msuqddft.dll [n/a]
"syncman"=c:\windows\system32\wuaucldt.exe [n/a]
[hkey_users\.default\software\microsoft\windows\currentversion\run]
"syncman"=c:\documents and settings\peter\wuaucldt.exe [n/a]
[hkey_users\.default\software\microsoft\windows\currentversion\runonce]
"showdeskfix"="shell32" [x]
[hkey_local_machine\system\currentcontrolset\control\session manager]
bootexecute reg_multi_sz pdboot.exe\0autocheck autochk *
[hkey_local_machine\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1644491937-790525478-1177238915-1005\scripts\logon\0\0]
"script"=autorun.bat
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\acronis scheduler2 service]
2009-01-20 21:34 377232 ----a-w- c:\program files\common files\acronis\schedule2\schedhlp.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\acronistimountermonitor]
2009-01-20 21:45 960536 ----a-w- c:\program files\acronis\trueimagehome\timountermonitor.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\adobe reader speed launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\adobe\reader 9.0\reader\reader_sl.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
c:\windows\system32\ctfmon.exe [n/a]
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\nerocheck.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched]
2009-09-19 21:10 149280 ----a-w- c:\program files\java\jre6\bin\jusched.exe
[hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\trueimagemonitor.exe]
2009-01-20 21:06 4359280 ----a-w- c:\program files\acronis\trueimagehome\trueimagemonitor.exe
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
%windir%\\network diagnostic\\xpnetdiag.exe=
%windir%\\system32\\sessmgr.exe=
c:\\program files\\network associates\\common framework\\frameworkservice.exe=
c:\\program files\\ipswitch\\ws_ftp pro\\wsftpgui.exe=
f:\\flight simulator 9\\fs9.exe=
c:\\windows\\system32\\dpnsvr.exe=
c:\\vliegsoft\\fsfdt\\fwinn\\fwinn.exe=
c:\\utorrent\\utorrent.exe=
c:\\program files\\microsoft office\\office12\\onenote.exe=
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"4899:tcp"= 4899:tcp:radmin
r0 jeorkj;jeorkj; [x]
r1 zpbwmexmbthw9;zpbwmexmbthw9.sys;c:\windows\system32\drivers\zpbwmexmbthw9.sys [x]
r1 zrokkdxlpg5;zrokkdxlpg5.sys;c:\windows\system32\drivers\zrokkdxlpg5.sys [x]
r3 commonfx;commonfx;c:\windows\system32\drivers\commonfx.sys [2009-06-23 99352]
r3 creative audio engine licensing service;creative audio engine licensing service;c:\program files\common files\creative labs shared\service\ctaelicensing.exe [2010-02-26 79360]
r3 ctaudfx;ctaudfx;c:\windows\system32\drivers\ctaudfx.sys [2009-06-23 555032]
r3 cterfxfx.sys;cterfxfx.sys;c:\windows\system32\drivers\cterfxfx.sys [2009-06-23 100888]
r3 cterfxfx;cterfxfx;c:\windows\system32\drivers\cterfxfx.sys [2009-06-23 100888]
r3 ctsblfx;ctsblfx;c:\windows\system32\drivers\ctsblfx.sys [2009-06-23 566296]
s1 naiavtdi1;naiavtdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-01-18 59904]
s3 commonfx.sys;commonfx.sys;c:\windows\system32\drivers\commonfx.sys [2009-06-23 99352]
s3 ctaudfx.sys;ctaudfx.sys;c:\windows\system32\drivers\ctaudfx.sys [2009-06-23 555032]
s3 ctgame;game port;c:\windows\system32\drivers\ctgame.sys [2009-06-23 18840]
s3 ctsblfx.sys;ctsblfx.sys;c:\windows\system32\drivers\ctsblfx.sys [2009-06-23 566296]
.
inhoud van de 'gedeelde taken' map
2010-04-08 c:\windows\tasks\glaryinitialize.job
- c:\program files\glary utilities\initialize.exe [2010-02-22 12:03]
2010-04-08 c:\windows\tasks\ogalogon.job
- c:\windows\system32\ogaexec.exe [2009-08-03 14:07]
.
.
------- bijkomende scan -------
.
ustart page = hxxp://tweakers.net/
ie: e&xporteren naar microsoft excel - c:\progra~1\micros~2\office12\excel.exe/3000
dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} - hxxp://www.kerkomroep.nl/ocx/siknplayer.cab
.
- - - - orphans verwijderd - - - -
ssodl-gootkitsso-{073f8489-bcd3-413c-8841-4d3affd5c523} - c:\windows\system32\msxsltsso.dll
addremove-tsimlpfrx9 - c:\windows\iun6002.exe
**************************************************************************
catchme 0.3.1398 w2k/xp/vista - rootkit/stealth malware detector by gmer, [noparse]http://www.gmer.net[/noparse]
rootkit scan 2010-04-08 11:35
windows 5.1.2600 service pack 3 ntfs
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
stealth mbr rootkit/mebroot/sinowal detector 0.3.7 by gmer, [noparse]http://www.gmer.net[/noparse]
device: opened successfully
user: mbr read successfully
called modules: ntoskrnl.exe >>unknown [0x8a516580]<<
kernel: mbr read successfully
detected mbr rootkit hooks:
\driver\disk -> classpnp.sys @ 0xf765bf28
\driver\acpi -> acpi.sys @ 0xf75adcb8
\driver\atapi -> atapi.sys @ 0xf749f852
iodeviceobjecttype -> deleteprocedure -> ntoskrnl.exe @ 0x805e66b6
parseprocedure -> ntoskrnl.exe @ 0x80580a6f
\device\harddisk0\dr0 -> deleteprocedure -> ntoskrnl.exe @ 0x805e66b6
parseprocedure -> ntoskrnl.exe @ 0x80580a6f
ndis: marvell yukon gigabit ethernet 10/100/1000base-t adapter, coppe -> sendcompletehandler -> ndis.sys @ 0x8a4fdbb0
packetindicatehandler -> ndis.sys @ 0x8a4eca0d
sendhandler -> ndis.sys @ 0x8a500b40
user & kernel mbr ok
**************************************************************************
.
--------------------- vergrendelde register sleutels ---------------------
[hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\localsystem\components\€–}|•}|•9~*]
"3140110900063d11c8ef10054038389c"="c?\\windows\\system32\\fm20enu.dll"
.
--------------------- dlls geladen onder lopende processen ---------------------
- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\ati2evxx.dll
c:\windows\system32\atiadlxx.dll
- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ andere aktieve processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\ctsvccda.exe
c:\program files\java\jre6\bin\jqs.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\network associates\common framework\naprdmgr.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\windows\system32\mspmspsv.exe
c:\program files\microsoft office\office12\onenotem.exe
.
**************************************************************************
.
voltooingstijd: 2010-04-08 12:02:25 - machine werd herstart
combofix-quarantined-files.txt 2010-04-08 10:02
combofix2.txt 2010-04-06 21:44
pre-run: 30.666.727.424 bytes beschikbaar
post-run: 30.637.125.632 bytes beschikbaar
- - end of file - - 102c9ec621840edccef7241b612031d0

[/hjt]


voor het gemak ook een hijack log gemaakt na de combofix actie.

[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:24, on 8-4-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
c:\windows\system32\smss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spoolsv.exe
c:\program files\creative\shared files\ctaudsvc.exe
c:\program files\common files\acronis\schedule2\schedul2.exe
c:\windows\system32\ctsvccda.exe
c:\program files\java\jre6\bin\jqs.exe
c:\program files\network associates\common framework\frameworkservice.exe
c:\program files\network associates\virusscan\vstskmgr.exe
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
c:\program files\raxco\perfectdisk10\pdagent.exe
c:\windows\system32\mspmspsv.exe
c:\program files\microsoft office\office12\onenotem.exe
c:\windows\explorer.exe
c:\windows\system32\notepad.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://tweakers.net/[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hkcu\software\microsoft\internet connection wizard,shellnext = [noparse]http://go.microsoft.com/fwlink/?linkid=74005[/noparse]
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername = koppelingen
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: ipswitch.wsftpbrowserhelper - {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
o2 - bho: jqsiestartdetectorimpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
o4 - hklm\..\run: [uxvefl] rundll32.exe c:\windows\system32\mssapsmr.dll,w
o4 - hklm\..\run: [fzwkht] rundll32.exe c:\windows\system32\msuqddft.dll,w
o4 - hklm\..\run: [syncman] c:\windows\system32\wuaucldt.exe
o4 - hkus\s-1-5-18\..\run: [syncman] c:\documents and settings\peter\wuaucldt.exe (user 'system')
o4 - hkus\s-1-5-18\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'system')
o4 - hkus\.default\..\run: [syncman] c:\documents and settings\peter\wuaucldt.exe (user 'default user')
o4 - hkus\.default\..\runonce: [showdeskfix] regsvr32 /s /n /i:u shell32 (user 'default user')
o4 - startup: onenote 2007 schermopname en snel starten.lnk = c:\program files\microsoft office\office12\onenotem.exe
o8 - extra context menu item: e&xporteren naar microsoft excel - res://c:\progra~1\micros~2\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\micros~2\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\micros~2\office12\refiebar.dll
o9 - extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\windows\network diagnostic\xpnetdiag.exe
o16 - dpf: {1fec8b6f-250a-4293-b12c-67a7ef0b758a} (sikn speler) - [noparse]http://www.kerkomroep.nl/ocx/siknplayer.cab[/noparse]
o16 - dpf: {f6acf75c-c32c-447b-9bef-46b766368d29} (creative software autoupdate support package) - [noparse]http://ccfiles.creative.com/web/softwareupdate/su2/ocx/15111/ctpid.cab[/noparse]
o23 - service: acronis scheduler2 service (acrsch2svc) - acronis - c:\program files\common files\acronis\schedule2\schedul2.exe
o23 - service: ati hotkey poller - ati technologies inc. - c:\windows\system32\ati2evxx.exe
o23 - service: creative audio engine licensing service - creative labs - c:\program files\common files\creative labs shared\service\ctaelicensing.exe
o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe
o23 - service: creative audio service (ctaudsvcservice) - creative technology ltd - c:\program files\creative\shared files\ctaudsvc.exe
o23 - service: java quick starter (javaquickstarterservice) - sun microsystems, inc. - c:\program files\java\jre6\bin\jqs.exe
o23 - service: mcafee framework service (mcafeeframework) - mcafee, inc. - c:\program files\network associates\common framework\frameworkservice.exe
o23 - service: network associates task manager (mctaskmanager) - network associates, inc. - c:\program files\network associates\virusscan\vstskmgr.exe
o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - c:\windows\system32\nvsvc32.exe
o23 - service: pdagent - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdagent.exe
o23 - service: pdengine - raxco software, inc. - c:\program files\raxco\perfectdisk10\pdengine.exe
--
end of file - 5588 bytes

[/hjt]

Veel succes dokter Abraham.
 
Bovenaan Onderaan