Archief - Traag internet, popups

Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.

Duffman-

Legacy Member
Hey,
ik heb zware spywareproblemen en weet echt niet hoe het komt. Grootste deel heb ik al kunnen verwijderen maar enkele hardnekkige insectjes blijven toch op mijn PC staan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:24, on 23/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Telemeter 3.0\telemeter3.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Documents and Settings\Simon\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\ASUS\AASP\1.00.15\aaCenter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

proxy.occlan.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: load=
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Telemeter 3.0] "C:\Program Files\Telemeter 3.0\telemeter3.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat

8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media

Explorer\CTCheck.exe
O4 - HKLM\..\Run: [Hitman Pro Expiration Helper] "C:\Program Files\Hitman Pro\xphelper.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Simon\lsass.exe
O4 - HKLM\..\Run: [{da670d1b-8653-79b8-fd71-45162a7a3258}] C:\WINDOWS\System32\Rundll32.exe

"C:\WINDOWS\system32\pvmwpfmrzlqjp.dll" DllStub
O4 - HKLM\..\Run: [5c5adbae] rundll32.exe "C:\WINDOWS\system32\rnvjljwg.dll",b
O4 - HKLM\..\Run: [BM5f69e832] Rundll32.exe "C:\WINDOWS\system32\iusubdeb.dll",s
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe"

clear
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program

Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - S-1-5-18 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Snelstart.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -

http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: ayomjl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA

Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation -

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation -

c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner -

C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner -

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program

Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program

Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software -

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software,

Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8932 bytes

Duffman-

Legacy Member
Beste,

het gaat al veel beter. Moet ik hier nog een logje van iets posten ofzo?

Greetz,
Duffman-

//edit: probleemstelling
http://users.telenet.be/duffman/wtf.JPG

Mijn browsers laden elke webpagina 2 keer in een venster. Reinstall al gedaan. Kheb ook nog last van pop-ups. Ksnap ni hoe het erop komt. Kdenk omdat ik op kot zit en dat iemand anders hier op het netwerk redelijk wat last heeft van spyware.


Logje malwarebytes:
Malwarebytes' Anti-Malware 1.28
Database versie: 1203
Windows 5.1.2600 Service Pack 2

25/09/2008 5:12:49
mbam-log-2008-09-25 (05-12-46).txt

Scan type: Volledige Scan (C:\|D:\|E:\|F:\|H:\|J:\|N:\|)
Objecten gescand: 281416
Verstreken tijd: 1 hour(s), 29 minute(s), 19 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 4
Registersleutels geïnfecteerd: 19
Registerwaarden geïnfecteerd: 4
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 2
Bestanden geïnfecteerd: 36

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\gcwhttfp.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hggefFVm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fcCvSMGY.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mcogrc.dll (Trojan.Vundo) -> No action taken.

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04b1e7d3-d4b7-48f2-ac4f-0d2555252a95} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccvsmgy (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{04b1e7d3-d4b7-48f2-ac4f-0d2555252a95} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85580142-67c1-4b86-89ad-869cc45087f5} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{85580142-67c1-4b86-89ad-869cc45087f5} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b33f0194-fb4b-4b0c-b022-7b261ddfd0b1} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b33f0194-fb4b-4b0c-b022-7b261ddfd0b1} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bambanner (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb22564d-f59b-d179-1e23-9691a3da625a} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{fb22564d-f59b-d179-1e23-9691a3da625a} (Adware.BHO) -> No action taken.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c5adbae (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{04b1e7d3-d4b7-48f2-ac4f-0d2555252a95} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{da670d1b-8653-79b8-fd71-45162a7a3258} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm5f69e832 (Trojan.Agent) -> No action taken.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggeffvm -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggeffvm -> No action taken.

Mappen geïnfecteerd:
C:\Program Files\webHancer (Adware.Webhancer) -> No action taken.
C:\WINDOWS\system32\g1 (Trojan.Downloader) -> No action taken.

Bestanden geïnfecteerd:
C:\WINDOWS\system32\fcCvSMGY.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mcogrc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hggefFVm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mVFfeggh.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mVFfeggh.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gcwhttfp.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pftthwcg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nwrytlas.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\saltyrwn.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\4DEN4TUV\upd105320[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\KXYBOXE7\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\WV9NIMVP\CA4LMNO9 (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{1A4DD4DC-ED91-45B2-86C2-9FECBAD06941}\RP342\A0056529.exe (Adware.Webhancer) -> No action taken.
C:\System Volume Information\_restore{1A4DD4DC-ED91-45B2-86C2-9FECBAD06941}\RP342\A0056530.exe (Adware.Webhancer) -> No action taken.
C:\System Volume Information\_restore{1A4DD4DC-ED91-45B2-86C2-9FECBAD06941}\RP343\A0056544.dll (Adware.Webhancer) -> No action taken.
C:\System Volume Information\_restore{1A4DD4DC-ED91-45B2-86C2-9FECBAD06941}\RP343\A0056545.dll (Adware.Webhancer) -> No action taken.
C:\System Volume Information\_restore{1A4DD4DC-ED91-45B2-86C2-9FECBAD06941}\RP343\A0056578.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\dlyrvpst.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pvffvu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ayomjl.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tjwosnaidfj.exe (Adware.Adrotator) -> No action taken.
C:\WINDOWS\system32\wxtavuaw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qoMFyWOH.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mgvjylas.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\901\sfeth112.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\nysl\ixp6453.exe (Adware.Webhancer) -> No action taken.
D:\SETUP\key winxp wijzigen\htcxpcok\All Microsoft XP Programs Keygen\XPKey.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\g1\CRK34L19.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\nvandxet.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM5f69e832.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM5f69e832.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\winlogon.Del (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\explorer.sln (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\WINDOWS\explorer.suo (Heuristics.Reserved.Word.Exploit) -> No action taken.

Jurgenv1

Legacy Member
Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

Duffman-

Legacy Member
alright.

Kan het wel pas morgenavond uitvoeren aangezien ik dan pas op kot zit.

Thx

Duffman-

Legacy Member
Ik heb het gedaan. Kmoest wel geen 1 intikken. Het programma begon automatisch ...


ComboFix 08-09-27.05 - Simon 2008-09-28 22:32:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1350 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Simon\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\vtUlIaXN.dll
C:\WINDOWS\system32\yayyVmJc.dll
C:\WINDOWS\winhelp.ini

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-08-28 to 2008-09-28 ))))))))))))))))))))))))))))))
.

2008-09-24 20:13 . 2008-09-24 20:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-24 20:13 . 2008-09-24 20:13 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\Malwarebytes
2008-09-24 20:13 . 2008-09-24 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-24 20:13 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-24 20:13 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-23 19:41 . 2008-09-23 19:43 <DIR> d-------- C:\hijackthis
2008-09-23 19:06 . 2008-09-23 19:06 299 --a------ C:\WINDOWS\wininit.ini
2008-09-22 21:51 . 2008-09-23 19:34 861,419 ---hs---- C:\WINDOWS\system32\gwjljvnr.ini
2008-09-22 18:40 . 2008-09-25 05:12 <DIR> d-------- C:\WINDOWS\system32\nysl
2008-09-22 18:40 . 2008-09-22 18:40 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-22 18:40 . 2008-09-25 05:12 <DIR> d-------- C:\WINDOWS\system32\901
2008-09-22 18:40 . 2008-09-22 18:40 <DIR> d-------- C:\Temp\mtc2
2008-09-18 02:41 . 2008-09-18 02:41 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-09-05 22:49 . 2008-09-05 22:51 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\SPORE
2008-09-02 00:50 . 2008-09-02 00:51 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-02 00:50 . 2008-09-02 00:50 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\PC Tools
2008-09-02 00:50 . 2008-09-02 00:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-02 00:50 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-02 00:50 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-02 00:50 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-02 00:50 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-02 00:49 . 2008-09-02 18:23 <DIR> d-------- C:\Program Files\ESET
2008-09-02 00:49 . 2008-09-02 00:49 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-09-02 00:42 . 2008-09-02 00:42 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-02 00:05 . 2008-09-02 00:05 <DIR> d-------- C:\Program Files\Panda Security
2008-09-02 00:05 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 20:25 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-09-28 20:19 --------- d-----w C:\Program Files\Hitman Pro
2008-09-24 12:47 --------- d-----w C:\Program Files\Xfire
2008-09-22 22:06 --------- d-----w C:\Documents and Settings\Simon\Application Data\Xfire
2008-09-20 16:13 --------- d-----w C:\Program Files\mIRC
2008-09-20 16:13 --------- d-----w C:\Documents and Settings\Simon\Application Data\NoNameScript
2008-09-20 01:16 183,256 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-09-20 01:16 138,912 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-05 20:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 16:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-01 22:52 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-01 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-24 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-08-23 19:17 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2007-12-18 14:29 357 ----a-w C:\Documents and Settings\Simon\.cb_layout.bin
2007-11-26 20:32 22,328 ----a-w C:\Documents and Settings\Simon\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe" [2006-11-14 363008]
"Launch PC Probe II"="C:\Program Files\ASUS\PC Probe II\Probe2.exe" [2006-10-30 2128896]
"Telemeter 3.0"="C:\Program Files\Telemeter 3.0\telemeter3.exe" [2007-04-16 1441792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 8491008]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"CTCheck"="C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"Hitman Pro Expiration Helper"="C:\Program Files\Hitman Pro\xphelper.exe" [2007-01-30 596760]

C:\Documents and Settings\Simon\Menu Start\Programma's\Opstarten\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-09-18 3089232]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Snelstart.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kvdvyc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
path=C:\Documents and Settings\Simon\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 12:29 220544 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 17:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 22:02 495616 C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-12-18 15:34 868352 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-28 21:30 1271032 d:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-16 00:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"D:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"D:\\Program Files\\Steam\\steam.exe"=
"D:\\SETUP\\RapGet\\rapget.exe"=
"D:\\Program Files\\Steam\\steamapps\\duffmanbe\\team fortress 2\\hl2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"D:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"D:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"N:\\RapGet\\rapget.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"D:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\YnHub\\YnHub.exe"=
"C:\\Program Files\\DC++673\\DCPlusPlus2.exe"=
"D:\\Program Files\\Worms World Party\\Worms World Party\\WWP\\wwp.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_01\\jre\\bin\\java.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"J:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"J:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"J:\\Program Files\\EA Sports\\FIFA 08\\FIFA08.exe"=
"J:\\Program Files\\TmNationsForever\\TmForever.exe"=
"C:\\Program Files\\JetBrains\\IntelliJ IDEA 7.0.3\\bin\\idea.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_01\\bin\\java.exe"=
"D:\\Program Files\\Codemasters\\GRID Demo\\GRID.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"J:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [ ]
R2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-02 204800]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - I:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Inhoud van de 'Gedeelde Taken' map
.
- - - - ORPHANS VERWIJDERD - - - -

MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe


.
------- Bijkomende Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\hbkfcylu.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 22:36:03
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-09-28 22:37:27
ComboFix-quarantined-files.txt 2008-09-28 20:37:18

Pre-Run: 1.094.488.064 bytes beschikbaar
Post-Run: 1,398,050,816 bytes beschikbaar

225 --- E O F --- 2008-09-11 01:00:50

Jurgenv1

Legacy Member
* Download OTMoveIt.exe en plaats het op je bureaublad:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

* Open OTMoveIt.exe.
In het linkerpaneel, waar het zegt: "Paste List of Files/Folders to be Moved" ,kopieer en plak onderstaand gedeelte:

C:\WINDOWS\system32\gwjljvnr.ini


Daarna klik de MoveIt knop onderaan.
Wanneer voltooid zal het een log aanmaken (********_******.log -- de * staat voor datum en tijd) in volgende map: C:\_OTMoveIt\MovedFiles.
Kopieer en plak de inhoud van die log in je volgende post en vbertel hoe alles verder werkt..

Duffman-

Legacy Member
C:\WINDOWS\system32\gwjljvnr.ini moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09302008_170023


Heb eigenlijk nog maar weinig problemen. Dat de browser de website 2 keer inlaadde in één venster heeft zichzelf opgelost denk ik en ik heb ook geen pop-ups meer.

Alvast bedankt Exit en JurgenV1. Moet er nog iets gebeuren?

Greetz,
Duffman-
Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.
Terug
Bovenaan