chinese commercial o.i.d.

**vierport** · 2 December 2008, 15:54

Vanmorgen starte ik de pc op en na een paar minuten hoor ik soort chinees reclamespotje uit mijn speakers komen

. Dat zich om de paar minuten herhaald.
In windows taakbeheer zie ik de volgende processen:
infocard.exe
WLLOGI~1.exe
iexplore.exe

Zodra ik iexplore.exe beeindig tijdens het chinees gebrabbel stopt die ook meteen. Het gaat dus alleen om een geluidsfragment.

Norman antivirus in veiligemodus gestart en deze vond de volgende trojan: w32/FP-Banker.DYCY in c:\progam files\msn messenger\ msgrvsta.thm

Na verwijdering geen problemen gehad. Nu 5 uur later weer hetzelfde verhaal. Is nu alleen een andere commercial.
Wie weet raad?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:46:58, on 2-12-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\taskmagr.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\WindowsXP\Bureaublad\Hijackthis\HijackThi s.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=w...3DDate%26n%3D9??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {63D6DD13-C913-466D-9444-9357561E4D94} (upload toepassing Control) - http://www.mijnalbum.nl/v3/skinsrc/c...toepassing.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210104856125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 7815 bytes

**vierport** · 3 December 2008, 13:20

Een ander verschijnsel is dat uit het niets een chinese webpagina gestart wordt, of oneindig de set startpagina`s geladen wordt, welke alleen te stoppen is door in taakbeheer het proces te beeindigen.
Kent iemand dit en/of bovenstaande problemen?

**Juisterr** · 3 December 2008, 18:54

Download http://download.bleepingcomputer.com/sUBs/ComboFix.exe]Combofix[/url] naar je Bureaublad.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

Dubbelklik op Combofix.exe om het te starten.
Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
Klik op OK in het "NirCmd" venstertje.
Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het "Query - Recovery Console" venster.
Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.

Post dit logje in je volgende antwoord.

**vierport** · 3 December 2008, 23:18

Post dit logje in je volgende antwoord.

ComboFix 08-12-02.02 - WindowsXP 2008-12-03 22:07:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.1480 [GMT 1:00]
Gestart vanuit: c:\documents and settings\WindowsXP\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\taskmagr.exe
c:\windows\system32\wmdmpmsvc.dll
c:\windows\system32\wshell.dll
c:\windows\system32\spoolsv.exe . . . est infectee!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NSESVC
-------\Service_Netcom3
-------\Service_nsesvc

(((((((((((((((((((( Bestanden Gemaakt van 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))
.
2008-12-03 14:05 . 2008-12-03 21:48 <DIR> dr-h----- c:\documents and settings\WindowsXP\Onlangs geopend
2008-12-02 15:19 . 2008-12-02 15:19 92 --a------ c:\windows\wininit.ini
2008-12-02 14:40 . 2008-12-03 09:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 08:50 . 2008-12-02 08:50 <DIR> dr------- c:\documents and settings\NetworkService\Favorieten
2008-11-28 17:18 . 2008-11-28 17:18 <DIR> d-------- c:\program files\PDFCreator
2008-11-28 17:18 . 1998-06-24 01:00 137,000 --a------ c:\windows\system32\MSMAPI32.OCX
2008-11-28 17:18 . 2001-10-28 17:42 116,224 --a------ c:\windows\system32\pdfcmnnt.dll
2008-11-28 17:18 . 1998-07-06 01:00 23,552 --a------ c:\windows\system32\MSMPIDE.DLL
2008-11-20 13:36 . 2008-12-03 12:38 244 --ah----- C:\sqmnoopt19.sqm
2008-11-20 13:36 . 2008-12-03 12:38 232 --ah----- C:\sqmdata19.sqm
2008-11-20 13:19 . 2008-12-03 12:36 244 --ah----- C:\sqmnoopt18.sqm
2008-11-20 13:19 . 2008-12-03 12:36 232 --ah----- C:\sqmdata18.sqm
2008-11-20 13:14 . 2008-12-03 09:37 244 --ah----- C:\sqmnoopt17.sqm
2008-11-20 13:14 . 2008-12-03 09:37 232 --ah----- C:\sqmdata17.sqm
2008-11-20 13:10 . 2008-12-03 00:54 244 --ah----- C:\sqmnoopt16.sqm
2008-11-20 13:10 . 2008-12-03 00:54 232 --ah----- C:\sqmdata16.sqm
2008-11-20 13:04 . 2008-12-02 22:20 244 --ah----- C:\sqmnoopt15.sqm
2008-11-20 13:04 . 2008-12-02 22:20 232 --ah----- C:\sqmdata15.sqm
2008-11-20 11:04 . 2008-12-02 21:37 244 --ah----- C:\sqmnoopt14.sqm
2008-11-20 11:04 . 2008-12-02 21:37 232 --ah----- C:\sqmdata14.sqm
2008-11-20 11:00 . 2008-12-02 19:31 244 --ah----- C:\sqmnoopt13.sqm
2008-11-20 11:00 . 2008-12-02 19:31 232 --ah----- C:\sqmdata13.sqm
2008-11-20 09:00 . 2008-12-02 19:29 244 --ah----- C:\sqmnoopt12.sqm
2008-11-20 09:00 . 2008-12-02 19:29 232 --ah----- C:\sqmdata12.sqm
2008-11-19 20:04 . 2008-12-02 15:38 244 --ah----- C:\sqmnoopt11.sqm
2008-11-19 20:04 . 2008-12-02 15:38 232 --ah----- C:\sqmdata11.sqm
2008-11-19 18:09 . 2008-12-02 15:36 244 --ah----- C:\sqmnoopt10.sqm
2008-11-19 18:09 . 2008-12-02 15:36 232 --ah----- C:\sqmdata10.sqm
2008-11-19 18:06 . 2008-12-02 15:05 244 --ah----- C:\sqmnoopt09.sqm
2008-11-19 18:06 . 2008-12-02 15:05 232 --ah----- C:\sqmdata09.sqm
2008-11-19 17:41 . 2008-12-02 14:10 244 --ah----- C:\sqmnoopt08.sqm
2008-11-19 17:41 . 2008-12-02 14:10 232 --ah----- C:\sqmdata08.sqm
2008-11-19 17:14 . 2008-11-19 17:29 <DIR> d-------- c:\program files\Age of Empires III
2008-11-19 12:36 . 2008-12-03 21:51 244 --ah----- C:\sqmnoopt07.sqm
2008-11-19 12:36 . 2008-12-03 21:51 232 --ah----- C:\sqmdata07.sqm
2008-11-19 09:53 . 2008-11-19 09:53 <DIR> d-------- c:\program files\EA Games
2008-11-18 21:04 . 2008-12-03 20:27 244 --ah----- C:\sqmnoopt06.sqm
2008-11-18 21:04 . 2008-12-03 20:27 232 --ah----- C:\sqmdata06.sqm
2008-11-18 21:03 . 2008-12-03 19:10 244 --ah----- C:\sqmnoopt05.sqm
2008-11-18 21:03 . 2008-12-03 19:10 232 --ah----- C:\sqmdata05.sqm
2008-11-18 09:31 . 2008-11-18 09:31 <DIR> d-------- c:\program files\OpenAL
2008-11-18 09:31 . 2008-11-18 09:31 413,696 --a------ c:\windows\system32\wrap_oal.dll
2008-11-18 09:31 . 2008-11-18 09:31 110,592 --a------ c:\windows\system32\OpenAL32.dll
2008-11-18 09:08 . 2008-11-18 09:08 <DIR> d-------- c:\program files\Team JPN
2008-11-18 01:12 . 2008-12-03 17:39 244 --ah----- C:\sqmnoopt04.sqm
2008-11-18 01:12 . 2008-12-03 17:39 232 --ah----- C:\sqmdata04.sqm
2008-11-17 22:57 . 2008-12-03 17:39 244 --ah----- C:\sqmnoopt03.sqm
2008-11-17 22:57 . 2008-12-03 17:39 232 --ah----- C:\sqmdata03.sqm
2008-11-17 19:29 . 2008-11-17 19:29 <DIR> d-------- c:\documents and settings\WindowsXP\Application Data\Leadertech
2008-11-17 17:10 . 2008-12-03 17:38 244 --ah----- C:\sqmnoopt02.sqm
2008-11-17 17:10 . 2008-12-03 17:38 232 --ah----- C:\sqmdata02.sqm
2008-11-17 16:49 . 2008-12-03 16:58 244 --ah----- C:\sqmnoopt01.sqm
2008-11-17 16:49 . 2008-12-03 16:58 232 --ah----- C:\sqmdata01.sqm
2008-11-17 16:06 . 2008-12-03 14:15 244 --ah----- C:\sqmnoopt00.sqm
2008-11-17 16:06 . 2008-12-03 14:15 232 --ah----- C:\sqmdata00.sqm
2008-11-14 17:01 . 2008-11-14 17:01 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-13 15:30 . 2008-11-13 15:30 <DIR> d-------- c:\documents and settings\WindowsXP\Citrix
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-03 21:08 --------- d-----w c:\program files\FlashGet
2008-12-03 21:05 --------- d-----w c:\documents and settings\WindowsXP\Application Data\Skype
2008-12-03 15:00 --------- d-----w c:\documents and settings\WindowsXP\Application Data\skypePM
2008-12-03 10:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 09:52 --------- d-----w c:\program files\MSN Messenger
2008-12-02 00:01 --------- d-----w c:\documents and settings\WindowsXP\Application Data\uTorrent
2008-11-28 12:35 183,112 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-28 12:35 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-19 13:30 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-18 08:06 --------- d-----w c:\program files\Activision
2008-11-17 10:45 --------- d-----w c:\program files\Webroot
2008-11-17 10:43 --------- d-----w c:\documents and settings\WindowsXP\Application Data\Webroot
2008-11-17 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-11-17 10:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 13:27 --------- d-----w c:\documents and settings\WindowsXP\Application Data\Activision
2008-10-29 13:27 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2008-10-28 23:19 --------- d-----w c:\program files\MSBuild
2008-10-28 23:16 --------- d-----w c:\program files\Reference Assemblies
2008-10-23 09:21 --------- d-----w c:\documents and settings\WindowsXP\Application Data\ICAClient
2008-10-23 09:06 --------- d-----w c:\program files\Citrix
2008-10-22 14:22 22,328 ----a-w c:\documents and settings\WindowsXP\Application Data\PnkBstrK.sys
2008-10-22 14:21 2,250,024 ----a-w c:\windows\system32\pbsvc.exe
2008-10-22 14:18 --------- d-----w c:\program files\Ubisoft
2008-10-22 13:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-09 21:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-09 21:08 --------- d-----w c:\program files\AGEIA Technologies
2008-09-23 07:41 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2007-12-19 10:29 32,694 ----a-w c:\program files\setuplog.txt
2007-12-18 23:34 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-06-11 16:28 80 --sha-w c:\windows\system32\indata.dat
2008-05-07 09:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist0120080507 20080508\index.dat
.
Bestanden Geïnfecteerd - Gepatched
c:\norman\Npm\bin\ZLH.exe ... hex repaired
c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe ... hex repaired
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-12 21686568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-12-03 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Norman ZANDA"="c:\norman\Npm\bin\ZLH.EXE" [2008-12-03 273520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-19 13500416]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"= mapledxp.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"PinnacleDriverCheck"=c:\windows\system32\\PSDrvCh eck.exe
"nwiz"=nwiz.exe /install
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SB CDROM\\runtime_db\\dbeng9.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace(TM)\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\Team JPN\\Race Driver GRID\\GRID.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapl edxp.SYS [2008-01-17 24720]
R2 Ndiskio;Ndiskio;\??\c:\norman\Nse\bin\NDISKIO.SYS [2005-07-18 20448]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\DRIVERS\nvcw32 mf.sys [2005-07-18 19512]
R3 nvcoas;Norman Virus Control on-access component;"c:\norman\Nvc\bin\nvcoas.exe" [2008-01-14 183352]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\Nvc\BIN\NVCSCHED.EXE [2005-07-18 146488]
S3 a424ed5476be5102;a424ed5476be5102;\??\C:\a424ed547 6be5102.dat []
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []
S3 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2007-12-18 389448]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1225372046&rve r=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.co m%2Fmail%2FInboxLight.aspx%3FFolderID%3D00000000-0000-0000-0000-000000000001%26InboxSortAscending%3DFalse%26InboxS ortBy%3DDate%26n%3D9??
uInternet Connection Wizard,ShellNext = hxxp://www.google.nl/
IE: &Ontvang alles met FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Ontvang met FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\uploadtoepassing.ocx
O16 -: {63D6DD13-C913-466D-9444-9357561E4D94}
hxxp://www.mijnalbum.nl/v3/skinsrc/core/system/mauploader/uploadtoepassing.cab
c:\windows\Downloaded Program Files\uploadtoepassing.inf
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 22:10:19
Windows 5.1.2600 Service Pack 3 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a 424ed5476be5102]
"ImagePath"="\??\C:\a424ed5476be5102.dat"
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\norman\npm\bin\elogsvc.exe
c:\norman\npm\bin\Zanda.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\norman\npm\bin\Njeeves.exe
c:\windows\system32\wscntfy.exe
c:\norman\Nvc\BIN\Nip.exe
c:\norman\Nvc\BIN\CClaw.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-12-03 22:13:50 - machine werd herstart
ComboFix-quarantined-files.txt 2008-12-03 21:13:47
Pre-Run: 2.162.716.672 bytes beschikbaar
Post-Run: 1,894,682,624 bytes beschikbaar
WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT /USEPMTIMER
236

**Juisterr** · 3 December 2008, 23:27

Download MalwareBytes' Anti-Malware en sla het op je bureaublad op.
Dubbelklik op mbam-setup.exe om het programma te installeren.

Zorg dat er na de installatie een vinkje is geplaatst bij:

Update MalwareBytes' Anti-Malware
Start MalwareBytes' Anti-Malware

Klik daarna op "Voltooien".
Indien een update gevonden wordt, zal die gedownload en geïnstalleerd worden.

Zodra het programma gestart is, ga dan naar het tabblad "Instellingen".
Vink hier aan: "Sluit Internet Explorer tijdens verwijdering van malware".
Ga daarna naar het tabblad "Scanner", kies hier voor "Snelle Scan".
Druk vervolgens op "Scannen" om de scan te starten.
Het scannen kan een tijdje duren, dus wees geduldig.
Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik op: "Verwijder geselecteerde".
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.

Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de "Logs" tab te klikken in het programma.

Plaats dit logje samen met een nieuw logje van HijackThis.

**vierport** · 4 December 2008, 01:11

Malwarebytes' Anti-Malware 1.30
Database versie: 1455
Windows 5.1.2600 Service Pack 3
4-12-2008 0:09:47
mbam-log-2008-12-04 (00-09-47).txt
Scan type: Snelle Scan
Objecten gescand: 50820
Verstreken tijd: 3 minute(s), 8 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

**vierport** · 4 December 2008, 01:12

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:12:14, on 4-12-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WindowsXP\Bureaublad\Hijackthis\HijackThi s.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=w...3DDate%26n%3D9??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {63D6DD13-C913-466D-9444-9357561E4D94} (upload toepassing Control) - http://www.mijnalbum.nl/v3/skinsrc/c...toepassing.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210104856125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 7674 bytes

**Juisterr** · 4 December 2008, 10:17

en hoe gaat het nu ?

**vierport** · 4 December 2008, 14:44

Juisterr bedankt voor je hulp! Helaas is het probleem nog niet opgelost.
Er zijn wat instelling teruggezet: zoals bv beveiligscentrum meldingen en bij het opstarten het weergeven van de herstel of besturingsystemen.
Vanmorgen nergens last van. Op dit moment van schrijven weer last van chinese audio en net bij opstarten van deze site verscheen in een ander tabblad deze site:
hxxx://stock.hexun.com/?b28

ook als ik vanuit mijn favorieten een pagina open geeft ie bij verschillende sites een heel ander pictogram boven aan het tabblad. bv een gmail envelopje voor hotmail. Dat was trouwens gisteren nog niet (of is me niet opgevallen)

In taakbeheer geeft iexplore.exe een geheugenbereik van wel 186.000kb en draait ie mijn cpu tot 95%