Archief - Systeem herstel werkt niet meer + Firefox lagged

Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.

MorGo7h

Legacy Member
Mijn PC is plots heel traag geworden bij het opstarten en in Firefox. Kheb gisteren Convert X to DVD geinstalled maar kweetni ofdat het daaraan ligt. En mijn DVD rw nog eens aangesloten. En nu doet em vree raar :s
Soms hangt m'n pc zelfs bij het opstarten :/

EDIT: ligt het nu aan mij of is hijackthis.nl down, lavasoft.com down, site van ATF cleaner ... Precies of ik kan nimeer op sites waar ik defensieve progs kan downen? :s
EDIT2: Met proxy server in te stellen in FF kan ik wel op die sites... Ben dus wss slachtoffer van een of andere viezigheid.
EDIT3: Adaware update zonder proxy lukt ook niet. Heb al ff gescanned met adaware en die heeft al iets gevonden oa WIN32BACKDOOR.TDSS

Hier een logje:
Logfile of HijackThis v1.99.1
Scan saved at 13:31:06, on 8/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
H:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
H:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Documents and Settings\JASPER11\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.telenet.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - H:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [WinampAgent] "H:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [IDMan] H:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Download with IDM - H:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - H:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Juisterr

Legacy Member
Download Combofix naar je Bureaublad en gebruik het volgens deze handleiding.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
  • Dubbelklik op Combofix.exe om het te starten.
  • Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
  • Klik op OK in het "NirCmd" venstertje.
  • Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het "Query - Recovery Console" venster.
  • Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
  • Klik na afloop terug op Ja om het scannen op malware te starten.
  • Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
  • Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
Post dit logje in je volgende antwoord.

MorGo7h

Legacy Member
Der is een rootkit gevonden.
Ik kon eerste combofix niet starten. Als de naam veranderde lukte dit wel.
Nadat ie alles verwijderd had, naam terug veranderd naar combofix en getest of het nu wel. En het ging dus, maar mijn logje is nu wel overschreven :(
Kzal dat dan maar posten. Kheb wel een screen van de rootkit die em gevonden heeft.

Logje:
ComboFix 09-02-07.01 - JASPER11 2009-02-08 18:52:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1635 [GMT 1:00]
Gestart vanuit: c:\documents and settings\JASPER11\Bureaublad\ComboFi.exe
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))
.

2009-02-08 15:22 . 2009-02-08 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-08 15:20 . 2009-02-08 15:20 1,202 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-02-08 13:50 . 2009-02-08 13:55 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-08 13:49 . 2009-02-08 13:49 <DIR> d-------- c:\documents and settings\LocalService\Bureaublad
2009-02-08 13:43 . 2009-01-18 22:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-08 13:42 . 2009-02-08 13:42 <DIR> d-------- c:\program files\Lavasoft
2009-02-08 13:42 . 2009-02-08 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-08 13:42 . 2009-02-08 13:42 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 18:56 . 2009-02-07 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2009-02-07 18:27 . 2009-02-07 18:27 <DIR> d-------- c:\program files\VSO
2009-02-07 18:27 . 2009-02-07 19:49 <DIR> d-------- c:\documents and settings\JASPER11\Application Data\Vso
2009-02-07 18:27 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2009-02-07 18:27 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-02-07 18:27 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-02-07 18:27 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-02-07 18:27 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-02-07 18:27 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2009-02-07 18:27 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-02-07 18:27 . 2009-02-07 18:27 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-02-07 18:27 . 2009-02-07 18:27 47,360 --a------ c:\documents and settings\JASPER11\Application Data\pcouffin.sys
2009-01-28 20:38 . 2009-01-28 20:41 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-27 17:36 . 2009-01-27 17:36 <DIR> d-------- c:\program files\MSECache

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 17:40 --------- d-----w c:\documents and settings\JASPER11\Application Data\DMCache
2009-01-20 20:02 --------- d-----w c:\documents and settings\JASPER11\Application Data\Winamp
2008-12-24 17:39 --------- d-----w c:\program files\StuffPlug3
2008-12-24 15:18 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-23 22:06 --------- d-----w c:\program files\Logitech
2008-12-23 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-16 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2008-12-08 15:07 --------- d-----w c:\program files\MSN Messenger
2008-12-08 13:55 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-08 13:27 --------- d--h--r c:\documents and settings\JASPER11\Application Data\SecuROM
2008-12-08 13:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 12:55 --------- d-----w c:\program files\Reference Assemblies
2008-12-08 12:55 --------- d-----w c:\program files\MSBuild
2008-12-08 12:53 --------- d-----w c:\program files\MSXML 6.0
2008-11-16 15:18 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-15 21:14 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-15 21:14 249,856 ------w c:\windows\Setup1.exe
2008-11-11 10:55 22,328 ----a-w c:\documents and settings\JASPER11\Application Data\PnkBstrK.sys
2008-11-11 10:54 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-11-11 10:54 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-11 10:12 2,821,776 ----a-w c:\documents and settings\JASPER11\Application Data\setup.exe
2006-06-24 12:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="h:\program files\Internet Download Manager\IDMan.exe" [2008-11-15 2607616]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diamondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]
"WinampAgent"="h:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-17 1040384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-08 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Valve\\Steam\\SteamApps\\morgoth_pwnz_u\\counter-strike source\\hl2.exe"=
"h:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"h:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"h:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"h:\\Program Files\\TmNationsForever\\TmForever.exe"=
"h:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=
"h:\\Program Files\\RS Vegas\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=
"h:\\Program Files\\Brothers in Arms Hells Highway\\Binaries\\biahh.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"h:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"h:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"h:\\Program Files\\ElcomSoft\\Proactive System Password Recovery\\pspr.exe"=
"h:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"h:\\Program Files\\Electronic Arts\\Crytek\\Crysis WARHEAD XP\\Bin32\\Crysis.exe"=
"h:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\CrysisWarsDedicatedServer.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"h:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"h:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"h:\\Program Files\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"h:\\Program Files\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"h:\\Program Files\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutParadise.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8-2-2009 13:43:14 64160]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [13-9-2008 23:43:45 150568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18-1-2009 22:34:37 950096]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [14-9-2008 0:32:41 13225]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f860f42-81c4-11dd-8792-806d6172696f}]
\Shell\AutoRun\command - d:\.\Bin\Assetup.exe
.
Inhoud van de 'Gedeelde Taken' map

2009-02-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-08 13:55]
.
.
------- Bijkomende Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download with IDM - h:\program files\Internet Download Manager\IEExt.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\JASPER11\Application Data\Mozilla\Firefox\Profiles\r4h8kssq.default\
FF - prefs.js: network.proxy.ftp - proxy.telenet.be
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.telenet.be
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.telenet.be
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.telenet.be
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.telenet.be
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\JASPER11\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: h:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: h:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 18:52:45
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-842925246-879983540-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:32,11,3b,6d,9f,1e,77,88,3b,d1,24,ee,6e,2a,84,a2,c3,1e,36,84,06,
35,86,d7,02,1f,84,4b,b5,d7,10,15,af,74,76,fc,ba,5c,55,c8,d9,84,ad,73,53,05,\
"rkeysecu"=hex:0f,79,3b,e2,59,23,e8,1d,21,9b,4f,bb,0e,bb,73,02

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{03551743-b6c2-4030-b2c1-1c50d5959941}]
@Denied: (Full) (Everyone)
"Model"=dword:00000123
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3121bfb2-9aac-4456-83f1-a587b6f0ed19}]
@Denied: (Full) (Everyone)
"Model"=dword:00000165
"Therad"=dword:00000015
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,a6,cc,f7,99,c0,1e,5f,3c,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):84,b0,54,70,d0,16,bb,1f,1c,cd,3b,56,3b,9c,5a,72,9c,7c,a7,7e,34,
6a,bf,42,20,76,4f,f3,bf,e0,ad,5c,7f,eb,fc,cd,0d,e0,26,2e,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):81,2c,dc,52,55,9e,41,6a,d4,aa,73,19,46,ab,b7,b3,65,a5,4d,98,d5,
1b,5a,24,37,60,43,9a,09,59,b3,24,c7,70,bd,d9,0c,d0,2a,f8,00,00,00,00,00,00,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Voltooingstijd: 2009-02-08 18:53:17
ComboFix-quarantined-files.txt 2009-02-08 17:53:11
ComboFix2.txt 2009-02-08 17:51:18

Pre-Run: 17.216.221.184 bytes beschikbaar
Post-Run: 17,204,494,336 bytes beschikbaar

198

MorGo7h

Legacy Member
Nog iets op aan te merken?
Mijn pc start wel nog steeds redelijk traag op. Hij blijft redelijk lang stilstaan op het scherm "welkom" in XP.

Juisterr

Legacy Member
Download gmer.zip, en pak het het uit op je Bureaublad.
Dubbelklik op gmer.exe om het te starten.
Wanneer je de vraag krijgt om je systeem te scannen, klik je op "ja".
Nadien klik je op het tabblad "Rootkit".
NA de scan: Klik op de knop "Copy" (rechts beneden)
Open een kladblokbestand.
Rechtsklik in dit bestand, en kies voor plakken. Sla dit bestandje op als gmerlog.txt
Plaats in je volgende antwoord de inhoud van gmerlog.txt.

MorGo7h

Legacy Member
Dit vond em bij het opstarten van het prog, toen ik niet op iets had gedrukt.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-13 19:12:33
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A64B1E8

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.14 ----

MorGo7h

Legacy Member
Na zelf nog is op scan te drukken, kwamen er nog enkele resultaten bij.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-13 19:15:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118C10]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE2 8050456E 2 Bytes [ EC, B9 ]
? C:\WINDOWS\system32\drivers\sptd.sys Het proces heeft geen toegang tot het bestand omdat
het bestand door een ander proces wordt gebruikt.
.text USBPORT.SYS!DllUnload B8B798AC 5 Bytes JMP 8A2EB770
? System32\Drivers\awhi5lmb.SYS Het systeem kan het opgegeven bestand niet vinden. !

---- User code sections - GMER 1.0.14 ----

.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!SetScrollInfo 7E399056 7 Bytes JMP 0426A68D H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!GetScrollInfo 7E3ADFE2 7 Bytes JMP 0426A615 H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!ShowScrollBar 7E3AF2F2 5 Bytes JMP 0426A711 H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!GetScrollPos 7E3AF704 5 Bytes JMP 0426A63D H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!SetScrollPos 7E3AF750 5 Bytes JMP 0426A6B8 H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!GetScrollRange 7E3AF787 5 Bytes JMP 0426A662 H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!SetScrollRange 7E3AF99B 5 Bytes JMP 0426A6E3 H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text H:\Program Files\Winamp\winamp.exe[1756] USER32.dll!EnableScrollBar 7E3E8005 7 Bytes JMP 0426A5ED H:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!LoadResource 7C80A045 7 Bytes JMP 28001CC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!FindResourceExW 7C80AD18 7 Bytes JMP 28001B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!FindResourceW 7C80BC5E 7 Bytes JMP 28001A80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!SizeofResource 7C80BCF9 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!FindResourceA 7C80BF19 7 Bytes JMP 28001B90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!LockResource 7C80CD27 5 Bytes JMP 28001DF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!CreateEventA 7C83089D 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!FindResourceExA 7C835F90 7 Bytes JMP 28001C20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] kernel32.dll!OutputDebugStringW 7C85B335 5 Bytes JMP 28001E50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] ADVAPI32.dll!CryptDeriveKey 77F59FDD 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] ADVAPI32.dll!CryptDecrypt 77F5A109 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!PeekMessageW 7E39929B 5 Bytes JMP 28004090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!SetWindowPlacement 7E39DE46 5 Bytes JMP 28005840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!CreateDialogParamW 7E39EA3B 5 Bytes JMP 28005AC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!LoadImageW 7E3A7B97 5 Bytes JMP 280060C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 28003820 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!SetWindowRgn 7E3AE528 7 Bytes JMP 28005980 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!LoadIconW 7E3AE8BC 5 Bytes JMP 280062B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 28005CB0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] USER32.dll!TrackPopupMenuEx 7E3ECF62 5 Bytes JMP 28004970 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 2800A5A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!send 71A34C27 2 Bytes JMP 2800A180 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!send + 3 71A34C2A 2 Bytes [ 5D, B6 ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 28009F60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!recv 71A3676F 5 Bytes JMP 28009DC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 2800A360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] SHELL32.dll!Shell_NotifyIconW 7CA2A52F 5 Bytes JMP 28002FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] ole32.dll!CoInitializeEx 774BEF7B 5 Bytes JMP 28002100 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] ole32.dll!CoRegisterClassObject 774D7E90 5 Bytes JMP 28002200 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WININET.dll!HttpOpenRequestA 77182AF9 5 Bytes JMP 28008BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WININET.dll!InternetCloseHandle 77184D8C 5 Bytes JMP 28008F20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WININET.dll!HttpSendRequestA 771860A1 5 Bytes JMP 28008E50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1960] WININET.dll!InternetReadFile 771882EA 5 Bytes JMP 28008D70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A64B1E8
Device \Driver\PCI_NTPNP6832 \Device\00000044 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A3E91E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A64D1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A64D1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A64D1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A64D1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A3E91E8
Device \Driver\usbuhci \Device\USBPDO-2 8A3E91E8
Device \Driver\usbehci \Device\USBPDO-3 8A3DA1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BFBBC96A-0167-4699-A263-660DE946C3BD} 8A28A3E0
Device \Driver\usbuhci \Device\USBPDO-4 8A3E91E8

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\usbuhci \Device\USBPDO-5 8A3E91E8
Device \Driver\usbuhci \Device\USBPDO-6 8A3E91E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5DE1E8
Device \Driver\usbehci \Device\USBPDO-7 8A3DA1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5DE1E8
Device \Driver\Cdrom \Device\CdRom0 8A3AB790
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5DE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A5DE1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A28A3E0
Device \Driver\USBSTOR \Device\00000078 89FFC790
Device \Driver\NetBT \Device\NetbiosSmb 8A28A3E0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7598B1B3-751D-4F66-A99B-D3E8DA1E186D} 8A28A3E0
Device \Driver\usbuhci \Device\USBFDO-0 8A3E91E8
Device \Driver\usbuhci \Device\USBFDO-1 8A3E91E8
Device \Driver\USBSTOR \Device\0000007a 89FFC790
Device \Driver\usbuhci \Device\USBFDO-2 8A3E91E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A1B03D8
Device \Driver\usbehci \Device\USBFDO-3 8A3DA1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A1B03D8
Device \Driver\Ftdisk \Device\FtControl 8A5DE1E8
Device \Driver\usbuhci \Device\USBFDO-4 8A3E91E8
Device \Driver\usbuhci \Device\USBFDO-5 8A3E91E8
Device \Driver\usbuhci \Device\USBFDO-6 8A3E91E8
Device \Driver\usbehci \Device\USBFDO-7 8A3DA1E8
Device \Driver\awhi5lmb \Device\Scsi\awhi5lmb1Port4Path0Target0Lun0 8A2BC1E8
Device \Driver\awhi5lmb \Device\Scsi\awhi5lmb1 8A2BC1E8
Device \FileSystem\Cdfs \Cdfs 8A17B790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4D 0x2D 0x71 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0xFC 0x35 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0x38 0xF2 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x12 0x97 0x2C 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4D 0x2D 0x71 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0xFC 0x35 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC6 0xFC 0x87 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x89 0x71 0x65 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4D 0x2D 0x71 0x7E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0xFC 0x35 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0x38 0xF2 0x21 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x12 0x97 0x2C 0x24 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{03551743-b6c2-4030-b2c1-1c50d5959941}@Model 291
Reg HKLM\SOFTWARE\Classes\CLSID\{03551743-b6c2-4030-b2c1-1c50d5959941}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{03551743-b6c2-4030-b2c1-1c50d5959941}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{3121bfb2-9aac-4456-83f1-a587b6f0ed19}@Model 357
Reg HKLM\SOFTWARE\Classes\CLSID\{3121bfb2-9aac-4456-83f1-a587b6f0ed19}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{3121bfb2-9aac-4456-83f1-a587b6f0ed19}@MData 0xCB 0x9B 0xAD 0xEF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x84 0xB0 0x54 0x70 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x81 0x2C 0xDC 0x52 ...

---- EOF - GMER 1.0.14 ----

MorGo7h

Legacy Member
Juisterr zei:
Dat klopt maar je laatste logje is gedateerd.

Alsk GMER open en kdruk scan hebk nog altijd dezelfde log als hierboven hoor. Hij heeft dus niks gefixed, enkel een logje gemaakt. Moet in gmer iets verwijderen of?

mvg

Juisterr

Legacy Member
Ik wil graag een nieuw gemaakt logje gemaakt met de juiste versie van HJT want het eerste logje is gemaakt met een verouderde versie en de juiste versie geeft ook de juiste informatie.

* Download Trend Micro Hijack This™
Dubbelklik HJTInstall.exe om HijackThis te installeren.
Standaard zal HijackThis in de Program Files\Trendmicro map geïnstalleerd worden en een snelkoppeling zal op je bureaublad komen te staan.
HijackThis zal openen na het installeren.
Klik de Scan knop onderaan.
Dit zal de scan starten en een log openen.
Kopieer en plak deze log in je volgende post.

Aub.

MorGo7h

Legacy Member
Ziezo :) Maar ik snap alleen niet goed wat de bedoeling van gmer is. Gwn een analyse zoals bij Hijackthis maken? Of moet daar ook bestanden/sleutels uit verwijderen? Want ij toont wel nog onderdelen van de rootkit aan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:06:35, on 2009/02/16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
H:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
H:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - H:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [WinampAgent] "H:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [IDMan] H:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with IDM - H:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - H:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6739 bytes

Juisterr

Legacy Member
Ik ben die rootkit aan het zoeken :)

Download Dr.Web CureIt en sla het op je bureaublad op.
  • Dubbelklik drweb-cureit.exe en sta het toe om te express scan te starten.
    Indien er een popup verschijnt met het voorstel tot kopen/50% korting mag je deze sluiten.
  • De express scan zal de bestanden scannen die momenteel in het geheugen geladen zijn. Wanneer er iets gevonden wordt klik op 'alles selecteren' kies nu voor 'repareren' en uit het kleine menutje dat verschijnt kies je 'verplaatsen'.
  • Kies bovenaan in het menu voor Language/Taal en wijzig deze naar Dutch (Nederlands) indien deze bij jou anders staat ingesteld.
  • Druk op F9, kies daarna voor het tabblad Acties en stel daar het volgende in onder Malware:
    • Adware: Verplaats
    • Dialers: Verplaats
    • Jokes: Rapportage
    • Riskware: Rapportage
    • Hacktools: Verplaats
    • Haal dan het vinkje weg bij 'Prompt bij actie'.
  • Kies daarna voor het tabblad Scan en verwijder het vinkje bij Heuristische analyse.
    Druk vervolgens op Toepassen gevolgd door OK.
  • Eenmaal als de korte scan is beëindigd vink je aan: Volledige scan.
    Druk daarna op het groene pijltje (start knop) om de scan te starten.
  • Gevonden bestanden worden naar '%USERPROFILE%\DocterWeb\Quarantine' -map verplaatst indien het herstellen niet mogelijk is.
  • Nadat de scan gedaan is ga dan naar Bestand en kies Rapportage lijst opslaan.
    Bewaar deze op je bureaublad en sluit daarna Dr.Web CureIt.
  • Herstart vervolgens de computer!! Dit is een belangrijke stap want het kan zijn dat Dr.Web CureIt bestanden zal verplaatsen/verwijderen tijdens herstart.
  • Na het herstarten, kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

MorGo7h

Legacy Member
IJ heeft niks gevonden met express scan. Ben nu een volledige scan aant doen.

MorGo7h

Legacy Member
Met de full scan vind em wel nog iets, maar mijn pc is gecrashed toen. Heb toen enkel mn C schijf gechecked (daar sta enkel windows op) en die was clean. Zou beter mijn schijf met progs nog is checke ook. Kpost dan wel iets.
Kben atm niet thuis, pas vanaf maandag.

MorGo7h

Legacy Member
Heb ne full scan gedaan met Dr. Weg en ie eeft nog enkele dinge gevonde. Logje van Dr. web is ne csv dus kan die lijk moeilijk ier zetten. Kheb em wel opgeslaan en ne screen van gepakt.
Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.
Terug
Bovenaan