Hijackthis Malware-docter

**Sinkfun** · 8 September 2010, 10:46

Zoals uitgelegd in dit bericht (http://www.minatica.be/threads/70900-Malware-docter) zit ik hier met een laptop vol virussen, waaronder 'malware docter' en vermoedelijk ook conficker.

hierbij heb ik dus een hijackthislogje gemaakt omdat Mbam:avg/ccleaner vanalles vonden maar het niet konden wissen.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:42:26, on 8/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lexbces.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Janna\LOCALS~1\Temp\202fbh.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\DOCUME~1\Janna\LOCALS~1\Temp\694251.exe
C:\Program Files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\PHNBMonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\lsass.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb1.dll
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb1.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5FE071A5-F4A0-4C87-8EBD-2243E3EE3767} - c:\windows\system32\bpledlu.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\s wg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [10768] C:\DOCUME~1\Janna\LOCALS~1\Temp\694251.exe
O4 - HKLM\..\Policies\Explorer\Run: [a5x3tq] C:\DOCUME~1\Janna\LOCALS~1\Temp\202fbh.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: CPWNA Monitor.lnk = C:\Program Files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\PHNBMonitor.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...g&n=2010060703
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Janna\Menu Start\Programma's\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.be/ips-opdata/layou...cts/jordan.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\lexbces.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10841 bytes

Hopelijk kunnen jullie mij helpen,

mvg. Sinkfun

**Sinkfun** · 8 September 2010, 19:42

Zou graag deze laptop zo snel mogelijk gefixt hebben aangezien deze gebruikt wordt voor boekhouding en facturatie. Ook staat er een specifiek progamma op de laptop waarvan de installatie CD / file zoek is.

Daarom hoop 'k dat er een spywareslayer vrij is.

mvg. Sinkfun

**Rosty** · 8 September 2010, 19:45

Wil je de log van MBM ook eens posten aub?

Hey,

je eigen post bumpen is niet erg slim hoor!! Op deze wijze gaat hij aan onze aandcht verloren daar hij niet meer op 0 staat.

Ga naar start --configuratiescherm -- software en verwijder daar volgende:Ask Toolbar, AskBar of Ask.
Open HijackThis, klik op do a scan only en plaats een vinkje voor de volgende regels:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: IObitCom Toolbar - {31c7d459-9cc3-44f2-9dca-fc11795309b4} - C:\Program Files\IObitCom\tbIOb1.dll
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {5FE071A5-F4A0-4C87-8EBD-2243E3EE3767} - c:\windows\system32\bpledlu.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [10768] C:\DOCUME~1\Janna\LOCALS~1\Temp\694251.exe
O4 - HKLM\..\Policies\Explorer\Run: [a5x3tq] C:\DOCUME~1\Janna\LOCALS~1\Temp\202fbh.exe

Sluit alle open vensters, behalve HijackThis, en klik op Fix Checked. SLuit HijackThis.

Download ComboFix van één van deze locaties:
Link 1
Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:
Klik hier
Als het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.
Dubbeklik op ComboFix.exe en volg de meldingen op het scherm.
ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd.
**Let op: Als de Microsoft Windows Recovery Console al is geïnstalleerd, dan krijg je de volgende schermen niet te zien en zal ComboFix automatisch verder gaan met het scannen naar malware.
Volg de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren.

Je krijgt de volgende melding te zien wanneer ComboFix de Microsoft Windows Recovery Console succesvol heeft geïnstalleerd:

Klik op Ja om verder te gaan met het scannen naar malware.

NOTE: Wanneer ComboFix start, kan het zijn dat je een Error melding krijgt dat de “contents of the ComboFix package has been compromised”
Ga niet verder met de instructies, maar download ComboFix opnieuw. Deze melding kan verschijnen wanneer een file-infector (Virut) actief is op de computer.

Blijf je die melding krijgen dan meld je dit.
Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht samen met een nieuw HijackThis logje.

**Sinkfun** · 8 September 2010, 19:56

Mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databaseversie: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/09/2010 21:58:13
mbam-log-2010-09-07 (21-58-13).txt

Scantype: Volledige scan (A:\|C:\|E:\|)
Objecten gescand: 44280
Verstreken tijd: 1 uur/uren, 32 minuut/minuten, 51 seconde

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 18
Registerwaarden geïnfecteerd: 4
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

heb wel geen idee van welke scan dat was (heb er een aantal gedaan in veilige modus, ook in gewone modus,.; staat maar 1 log file)

**Sinkfun** · 8 September 2010, 21:22

het combofix logje ;

ComboFix 10-09-07.03 - Janna 08/09/2010 20:42:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.1981.1314 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Janna\Bureaublad\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\ohydy.exe
c:\documents and settings\All Users\Application Data\hpe3.dll
c:\documents and settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F
c:\documents and settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F\enemies-names.txt
c:\documents and settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F\local.ini
c:\documents and settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F\lsrslt.ini
c:\documents and settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F\mediafix7070 0en02.exe
c:\documents and settings\Janna\Application Data\Desktopicon
c:\documents and settings\Janna\Application Data\Desktopicon\eBay.ico
c:\documents and settings\Janna\Application Data\Desktopicon\uninst.exe
c:\documents and settings\Janna\Application Data\ohydy.exe
c:\documents and settings\Janna\Favorieten\Download programs.url
c:\documents and settings\Janna\Favorieten\Translator.url
c:\documents and settings\Janna\Favorieten\Videos.url
c:\documents and settings\Janna\Local Settings\Application Data\Windows Server
c:\documents and settings\Janna\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Janna\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Janna\Menu Start\Programma's\Games.url
c:\documents and settings\Janna\Menu Start\Programma's\Translator.url
c:\documents and settings\Janna\Menu Start\Programma's\Videos.url
C:\lsass.exe
c:\windows\cfdrive32.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
c:\windows\system32\msllhsjn.dll
c:\windows\system32\vbzlib1.dll
c:\windows\system32\bpledlu.dll . . . . konden niet verwijderd worden

c:\windows\system32\drivers\nubeirdx.sys . . . is geïnfecteerd!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFFFWSII
-------\Legacy_MSUPDATE
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_afffwsii
-------\Service_usnjsvc

(((((((((((((((((((( Bestanden Gemaakt van 2010-08-08 to 2010-09-08 ))))))))))))))))))))))))))))))
.

2010-09-08 08:36 . 2010-09-08 08:36 -------- d-----w- c:\program files\Trend Micro
2010-09-07 19:04 . 2010-09-08 17:52 -------- d--h--r- c:\documents and settings\Janna\Onlangs geopend
2010-09-07 16:20 . 2010-09-07 16:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-07 16:18 . 2008-06-10 15:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2010-09-07 16:18 . 2006-06-01 17:33 -------- d--h--w- c:\documents and settings\Administrator\Netwerkprinteromgeving
2010-09-07 16:18 . 2006-06-01 17:33 -------- d-----r- c:\documents and settings\Administrator\Menu Start
2010-09-07 16:18 . 2006-06-01 15:51 -------- d-----r- c:\documents and settings\Administrator\Mijn documenten
2010-09-07 16:18 . 2006-06-01 15:49 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
2010-09-07 16:18 . 2006-06-01 15:37 -------- d--h--w- c:\documents and settings\Administrator\Sjablonen
2010-09-07 16:18 . 2010-09-07 16:18 -------- d-----w- c:\documents and settings\Administrator
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\documents and settings\Janna\Application Data\Malwarebytes
2010-09-07 15:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 15:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-06 18:31 . 2010-09-06 18:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-06 17:20 . 2010-09-06 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-06 17:20 . 2010-09-06 17:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-06 17:19 . 2010-09-06 17:32 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-06 17:19 . 2010-09-06 17:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-06 17:19 . 2010-09-07 19:21 -------- d-----w- c:\documents and settings\Janna\Application Data\AVGTOOLBAR
2010-09-06 17:19 . 2010-09-06 17:33 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-06 17:00 . 2010-09-06 17:00 -------- d-----w- c:\documents and settings\Janna\Local Settings\Application Data\Threat Expert
2010-09-06 16:34 . 2010-09-06 16:34 817152 ----a-w- c:\windows\system32\dlo15.dll
2010-09-06 16:29 . 2010-08-30 11:57 767952 ----a-w- c:\windows\BDTSupport.dll
2010-09-06 16:29 . 2010-08-30 11:57 739280 ----a-w- c:\windows\PCTBDRes.dll
2010-09-06 16:29 . 2010-08-30 11:57 1865680 ----a-w- c:\windows\PCTBDCore.dll
2010-09-06 16:29 . 2010-08-26 07:30 2074 ----a-w- c:\windows\UDB.zip
2010-09-06 16:29 . 2010-08-23 07:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-09-06 16:29 . 2008-11-26 09:08 131 ----a-w- c:\windows\IDB.zip
2010-09-06 16:24 . 2010-09-06 18:27 -------- d-----w- c:\program files\PC Tools Security
2010-09-06 16:14 . 2010-09-06 18:27 -------- d-----w- c:\program files\Common Files\PC Tools
2010-09-06 16:02 . 2010-09-06 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-06 15:09 . 2010-09-06 15:09 -------- d-----w- c:\documents and settings\Janna\Local Settings\Application Data\vsmgtpwyj
2010-09-06 15:08 . 2010-09-06 15:09 -------- d-----w- C:\system32

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-08 19:00 . 2009-11-16 09:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-08 08:36 . 2010-09-08 08:36 388096 ----a-r- c:\documents and settings\Janna\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-08 07:18 . 2008-08-02 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-09-07 16:19 . 2010-09-07 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Ericsson
2010-09-06 18:34 . 2008-06-19 08:14 -------- d-----w- c:\documents and settings\Janna\Application Data\uTorrent
2010-09-06 17:20 . 2010-09-06 17:33 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2010-09-06 17:20 . 2010-09-06 17:33 107912 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2010-09-06 17:19 . 2010-09-06 17:33 325640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2010-09-06 17:19 . 2010-09-06 17:33 27656 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2010-09-06 17:19 . 2010-09-06 17:33 485144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2010-09-06 16:34 . 2010-09-06 16:34 0 ----a-w- c:\windows\system32\dlo15.tmp
2010-09-06 16:26 . 2010-09-06 16:25 714186 ----a-w- c:\windows\system32\drivers\Cat.DB
2010-09-06 16:05 . 2010-09-06 16:02 80729096 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_aff_dl.exe
2010-08-12 08:01 . 2008-03-18 08:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-12 07:59 . 1980-01-01 00:00 91716 ----a-w- c:\windows\system32\perfc013.dat
2010-08-12 07:59 . 1980-01-01 00:00 510666 ----a-w- c:\windows\system32\perfh013.dat
2010-06-30 12:33 . 1980-01-01 00:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:27 . 2006-04-28 13:09 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 1980-01-01 00:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 1980-01-01 00:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 1980-01-01 00:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2006-06-01 15:38 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:43 . 1980-01-01 00:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-11-16 09:09 . 2009-11-16 09:07 16908057 ----a-w- c:\program files\AVCP.2.7.8_[RH].rar
2006-11-29 16:05 . 2006-11-29 16:07 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2010-03-01 17:35 2349080 ----a-w- c:\program files\IObitCom\tbIOb1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb1.dll" [2010-03-01 2349080]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Janna\Menu Start\Programma's\Opstarten\
Microsoft Office Snelzoeken.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-2-3 111376]
Office Opstarten.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-2-3 51984]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CPWNA Monitor.lnk - c:\program files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\PHNBMonitor.exe [2003-9-8 819288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-06 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRu ntime.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

R0 nubeirdx;nubeirdx;c:\windows\system32\drivers\nube irdx.sys [1/01/1980 2:00 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/09/2010 19:19 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/09/2010 19:20 108552]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNET URPX.SYS [17/11/2009 19:03 7936]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/09/2010 19:19 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [6/09/2010 18:29 235472]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [28/01/2010 18:17 90112]
R3 CPWNA1D;Philips 11Mbps Notebook Adapter Driver;c:\windows\system32\drivers\CPWNA1D.sys [7/10/2003 18:34 51328]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/01/2010 18:18 27632]
R3 w3304an5;WN3X0X Wireless Adapter;c:\program files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\W3304AN5.sys [7/10/2002 4:14 15104]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/06/2009 17:24 16512]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNET TBOH.SYS [17/11/2009 19:03 23680]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [11/07/2009 8:00 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [11/07/2009 8:00 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [11/07/2009 8:00 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [11/07/2009 8:00 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [11/07/2009 8:00 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sy s [11/07/2009 8:00 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [11/07/2009 8:00 117672]
.
Inhoud van de 'Gedeelde Taken' map

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-04 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-09-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Janna\Menu Start\Programma's\IMVU\Run IMVU.lnk
Trusted Zone: fortisbanking.be\www
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
FF - ProfilePath - c:\documents and settings\Janna\Application Data\Mozilla\Firefox\Profiles\oe6aexm8.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/
FF - component: c:\program files\PC Tools Security\BDT\Firefox\platform\WINNT_x86-msvc\components\libheuristic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dl l
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS VERWIJDERD - - - -

BHO-{5FE071A5-F4A0-4C87-8EBD-2243E3EE3767} - c:\windows\system32\bpledlu.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{5FE071A5-F4A0-4C87-8EBD-2243E3EE3767} - c:\windows\system32\bpledlu.dll
AddRemove-eBay Icon - c:\documents and settings\Janna\Application Data\Desktopicon\uninst.exe
AddRemove-eMindMaps - c:\progra~1\MindJET\EMINDM~1\UNWISE.EXE
AddRemove-Native Instruments - Traktor 1.06 - c:\audio\NATIVE~1\Traktor\UNINST~1\106\UNWISE.EXE

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8971CEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> atapi.sys @ 0xf74a7852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7971b0a
PacketIndicateHandler -> NDIS.sys @ 0xf795ea0d
SendHandler -> NDIS.sys @ 0xf7972b40
user & kernel MBR OK

************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\lexbces.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Voltooingstijd: 2010-09-08 21:17:14 - machine werd herstart
ComboFix-quarantined-files.txt 2010-09-08 19:17

Pre-Run: 58.614.575.104 bytes beschikbaar
Post-Run: 58.547.027.968 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 7B7325FB48548EEA0788528C5FFCA5A0

mvg; Sinkfun

**Rosty** · 9 September 2010, 12:43

Open een kladblokbestand.
Kopieer het ondestaande vetgedrukte, en plak dit in het kladblokbestand.
Sla het kladblokbestand op als CFScript.txt

File::
c:\windows\system32\bpledlu.dll
c:\windows\system32\dlo15.dll
c:\documents and settings\Janna\Local Settings\Application Data\vsmgtpwyj

Driver::
nubeirdx.sys

c:\windows\system32\drivers\nube irdx.sys

Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe

ComboFix zal opnieuw starten.
Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile. Post de inhoud van de logfile.

**Sinkfun** · 9 September 2010, 13:47

Nieuwe ComboFix logje;

ComboFix 10-09-08.02 - Janna 09/09/2010 13:11:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.1981.1528 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Janna\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Janna\Bureaublad\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Janna\Local Settings\Application Data\vsmgtpwyj"
"c:\windows\system32\bpledlu.dll"
"c:\windows\system32\dlo15.dll"
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dlo15.dll
c:\windows\system32\bpledlu.dll . . . . konden niet verwijderd worden

c:\windows\system32\drivers\nubeirdx.sys . . . is geïnfecteerd!! . . . Failed to find a valid replacement.
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-08-09 to 2010-09-09 ))))))))))))))))))))))))))))))
.

2010-09-08 08:36 . 2010-09-08 08:36 -------- d-----w- c:\program files\Trend Micro
2010-09-07 19:04 . 2010-09-09 10:50 -------- d--h--r- c:\documents and settings\Janna\Onlangs geopend
2010-09-07 16:20 . 2010-09-07 16:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-07 16:19 . 2010-09-07 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Ericsson
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\documents and settings\Janna\Application Data\Malwarebytes
2010-09-07 15:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 15:52 . 2010-09-07 15:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 15:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-06 18:31 . 2010-09-06 18:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-06 17:20 . 2010-09-06 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-06 17:20 . 2010-09-06 17:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-06 17:19 . 2010-09-06 17:32 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-06 17:19 . 2010-09-06 17:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-06 17:19 . 2010-09-07 19:21 -------- d-----w- c:\documents and settings\Janna\Application Data\AVGTOOLBAR
2010-09-06 17:19 . 2010-09-06 17:33 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-06 17:00 . 2010-09-06 17:00 -------- d-----w- c:\documents and settings\Janna\Local Settings\Application Data\Threat Expert
2010-09-06 16:29 . 2010-08-30 11:57 767952 ----a-w- c:\windows\BDTSupport.dll
2010-09-06 16:29 . 2010-08-30 11:57 739280 ----a-w- c:\windows\PCTBDRes.dll
2010-09-06 16:29 . 2010-08-30 11:57 1865680 ----a-w- c:\windows\PCTBDCore.dll
2010-09-06 16:29 . 2010-08-26 07:30 2074 ----a-w- c:\windows\UDB.zip
2010-09-06 16:29 . 2010-08-23 07:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-09-06 16:29 . 2008-11-26 09:08 131 ----a-w- c:\windows\IDB.zip
2010-09-06 16:24 . 2010-09-06 18:27 -------- d-----w- c:\program files\PC Tools Security
2010-09-06 16:14 . 2010-09-06 18:27 -------- d-----w- c:\program files\Common Files\PC Tools
2010-09-06 16:02 . 2010-09-06 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-06 15:09 . 2010-09-06 15:09 -------- d-----w- c:\documents and settings\Janna\Local Settings\Application Data\vsmgtpwyj
2010-09-06 15:08 . 2010-09-06 15:09 -------- d-----w- C:\system32

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-09 11:26 . 2009-11-16 09:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-08 08:36 . 2010-09-08 08:36 388096 ----a-r- c:\documents and settings\Janna\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-08 07:18 . 2008-08-02 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-09-06 18:34 . 2008-06-19 08:14 -------- d-----w- c:\documents and settings\Janna\Application Data\uTorrent
2010-09-06 17:20 . 2010-09-06 17:33 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2010-09-06 17:20 . 2010-09-06 17:33 107912 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2010-09-06 17:19 . 2010-09-06 17:33 325640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2010-09-06 17:19 . 2010-09-06 17:33 27656 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2010-09-06 17:19 . 2010-09-06 17:33 485144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2010-09-06 16:34 . 2010-09-06 16:34 0 ----a-w- c:\windows\system32\dlo15.tmp
2010-09-06 16:26 . 2010-09-06 16:25 714186 ----a-w- c:\windows\system32\drivers\Cat.DB
2010-09-06 16:05 . 2010-09-06 16:02 80729096 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_aff_dl.exe
2010-08-12 08:01 . 2008-03-18 08:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-12 07:59 . 1980-01-01 00:00 91716 ----a-w- c:\windows\system32\perfc013.dat
2010-08-12 07:59 . 1980-01-01 00:00 510666 ----a-w- c:\windows\system32\perfh013.dat
2010-06-30 12:33 . 1980-01-01 00:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:27 . 2006-04-28 13:09 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 1980-01-01 00:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 1980-01-01 00:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 1980-01-01 00:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2006-06-01 15:38 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:43 . 1980-01-01 00:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-11-16 09:09 . 2009-11-16 09:07 16908057 ----a-w- c:\program files\AVCP.2.7.8_[RH].rar
2006-11-29 16:05 . 2006-11-29 16:07 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]
2010-03-01 17:35 2349080 ----a-w- c:\program files\IObitCom\tbIOb1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5FE071A5-F4A0-4C87-8EBD-2243E3EE3767}]
c:\windows\system32\bpledlu.dll [BU]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIOb1.dll" [2010-03-01 2349080]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-01 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Janna\Menu Start\Programma's\Opstarten\
Microsoft Office Snelzoeken.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-2-3 111376]
Office Opstarten.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-2-3 51984]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CPWNA Monitor.lnk - c:\program files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\PHNBMonitor.exe [2003-9-8 819288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-06 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRu ntime.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

R0 nubeirdx;nubeirdx;c:\windows\system32\drivers\nube irdx.sys [1/01/1980 2:00 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/09/2010 19:19 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/09/2010 19:20 108552]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNET URPX.SYS [17/11/2009 19:03 7936]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/09/2010 19:19 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [6/09/2010 18:29 235472]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [28/01/2010 18:17 90112]
R3 CPWNA1D;Philips 11Mbps Notebook Adapter Driver;c:\windows\system32\drivers\CPWNA1D.sys [7/10/2003 18:34 51328]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/01/2010 18:18 27632]
R3 w3304an5;WN3X0X Wireless Adapter;c:\program files\Philips\Philips 11Mbps Notebook Adapter\drivers\WINXP\W3304AN5.sys [7/10/2002 4:14 15104]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/06/2009 17:24 16512]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNET TBOH.SYS [17/11/2009 19:03 23680]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [11/07/2009 8:00 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [11/07/2009 8:00 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [11/07/2009 8:00 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [11/07/2009 8:00 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [11/07/2009 8:00 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sy s [11/07/2009 8:00 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [11/07/2009 8:00 117672]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
afffwsii
.
Inhoud van de 'Gedeelde Taken' map

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-04-04 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]

2010-09-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Janna\Menu Start\Programma's\IMVU\Run IMVU.lnk
Trusted Zone: fortisbanking.be\www
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.be/ips-opdata/layout/hema/objects/jordan.cab
FF - ProfilePath - c:\documents and settings\Janna\Application Data\Mozilla\Firefox\Profiles\oe6aexm8.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector .dll
FF - component: c:\program files\PC Tools Security\BDT\Firefox\platform\WINNT_x86-msvc\components\libheuristic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dl l
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 13:27
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0DDEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> atapi.sys @ 0xf74a7852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7971b0a
PacketIndicateHandler -> NDIS.sys @ 0xf795ea0d
SendHandler -> NDIS.sys @ 0xf7972b40
user & kernel MBR OK

************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\lexbces.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Voltooingstijd: 2010-09-09 13:44:47 - machine werd herstart
ComboFix-quarantined-files.txt 2010-09-09 11:44
ComboFix2.txt 2010-09-08 19:17

Pre-Run: 58.532.753.408 bytes beschikbaar
Post-Run: 58.521.989.120 bytes beschikbaar

- - End Of File - - F41B62B67E06F3E2624C4CDED0FB057B

Nogmaals bedankt voor al de hulp!!!
grtz. sinkun

**Sinkfun** · 9 September 2010, 14:40

*zal ondertussen alles nog maals scannen met Mbam en deze log hier dan ook posten.

**Sinkfun** · 9 September 2010, 17:13

Mbam logje ;

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Databaseversie: 4580

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/09/2010 17:11:55
mbam-log-2010-09-09 (17-11-55).txt

Scantype: Volledige scan (A:\|C:\|D:\|)
Objecten gescand: 213297
Verstreken tijd: 2 uur/uren, 44 minuut/minuten, 3 seconde

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 3
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 14

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\nubeirdx (Rootkit.Agent.BO) -> Delete on reboot.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:
C:\Documents and Settings\Janna\Local Settings\Application Data\vsmgtpwyj\yqnjooiuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\ohydy.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Janna\Application Data\ohydy.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Janna\Application Data\C5DB592B3420E168DAD82E36649C8A6F\mediafix7070 0en02.exe.vir (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\cfdrive32.exe.vir (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\msllhsjn.d ll.vir (Trojan.Onlinegames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001086.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001090.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001093.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001095.exe (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001096.dll (Trojan.Onlinegames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001158.sys (Rootkit.Agent.BO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{99875BAE-4EB5-4ED0-990B-49FD474664BA}\RP3\A0001389.sys (Rootkit.Agent.BO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nubeirdx.sys (Rootkit.Agent.BO) -> Delete on reboot.

**Rosty** · 9 September 2010, 21:03

Downloadt MBRCheck: http://ad13.geekstogo.com/MBRCheck.exe
Start de tool door te dubbelklikken op MBRCheck.exe
Wanneer de tool klaar is krijg je een keuzemenu. Tik in N om af te sluiten en druk daarna nog een keer op Enter.
Op je bureaublad staat een logje waarvan de naam begint met MBRCheck gevolgd door de datum en het uur.
Post dit logje.

Discussie: Hijackthis Malware-docter

Discussietools

Discussie doorzoeken

Weergave

Hijackthis Malware-docter

De volgende gebruiker bedankt Rosty voor deze nuttige post:

De volgende gebruiker bedankt Rosty voor deze nuttige post:

De volgende gebruiker bedankt Rosty voor deze nuttige post:

Discussie informatie

Users Browsing this Thread

Soortgelijke discussies

Malware docter

Malware op pc

malware

malware docter

Favorieten/bladwijzers

Favorieten/bladwijzers

Regels voor berichten