hijackthis log: krijg virus niet verwijderd

**Kokki** · 17 June 2008, 18:09

Hey spywarevechters,

Hier staat een pc waar een Trojan Horse Downloader.Delf.12.AN op staat volgens AVG 8. Telkens als ik de verkenner opstart, dan komt deze melding. Het beestje zit in de system32/dciman3.dll. Avg krijgt hem niet weg, en manueel krijg ik hem ook niet weg (ook niet in veilige modus).
Willen jullie mijn logje eens bekijken. Hopelijk vinden jullie iets. Alvast bedankt voor de moeite.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:01:05, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: SurfairyBHO Class - {BB9AAAF3-4F8D-48B5-A565-FF3E58433DC2} - C:\Program Files\Surfairy\SurfairyHlp.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F038EDCF-F9F2-4830-82C0-C83F4762AF04} - C:\WINDOWS\System32\dciman3.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WINPROC AUDIT] C:\OEMCUST\TOOLS\WIN32\WINPROC.EXE C:\CABS\SCRIPTS\PROCESS\AUDIT.SCR C:\DRIVERS\PROCESS.TXT /TRACE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} - res://EffiPeled (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1213522710498
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 6387 bytes

**Roelof** · 18 June 2008, 21:36

Hoi Kokki,

ik ga even naar je logje kijken

Ik ben nog wel in Opleiding, en zal daarom mijn fix eerst moeten laten controleren. Het kan dus iets langer duren,

Roelof

**Roelof** · 19 June 2008, 12:25

Hoi Kokki,

Je hebt ook wat andere zaken op de computer die niet kloppen, pakken we direct mee.

1) Ga naar Start > Instellingen > Configuratiescherm > Software en verwijder het volgende programma:
Surfairy

2) Start HijackThis op.
- Kies nu voor "Do a system scan only..

- Zet nu een vinkje voor de volgende items:

- R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
- O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
- O2 - BHO: SurfairyBHO Class - {BB9AAAF3-4F8D-48B5-A565-FF3E58433DC2} - C:\Program Files\Surfairy\SurfairyHlp.dll
- O2 - BHO: (no name) - {F038EDCF-F9F2-4830-82C0-C83F4762AF04} - C:\WINDOWS\System32\dciman3.dll
- O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
- O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} - res://EffiPeled (file missing)

- Sluit nu alle vensters behalve die van HijackThis en kies nu voor "fix checked".

3) Herstart nu je computer.

4) Volg deze instructies om Combofix te downloaden :
Voer de instructies op de BleepingComputer pagina uit, inclusief het installeren van de XP Recovery Console

Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner,
schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

Dubbelklik op Combofix.exe
Volg de instructies en aanvaard de disclaimer.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.

5) Zou je een nieuw Hijacklogje en het combofix logje willen plaatsen in je volgende antwoord.

Groetjes,

Roelof

**Kokki** · 19 June 2008, 19:17

Hey Roelof,

Hierbij mijn logjes. Ik moet zeggen dat ik vergeten was avg uit te zetten terwijl Combofix liep. Tijdens het lopen van Combofix kreeg ik dus weer waarschuwingen van avg dat ie dat virus gevonden had. Er is dus nog werk aan de winkel.

Alvast bedankt he

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:16, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F038EDCF-F9F2-4830-82C0-C83F4762AF04} - C:\WINDOWS\System32\dciman3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WINPROC AUDIT] C:\OEMCUST\TOOLS\WIN32\WINPROC.EXE C:\CABS\SCRIPTS\PROCESS\AUDIT.SCR C:\DRIVERS\PROCESS.TXT /TRACE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1213522710498
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 5934 bytes

ComboFix 08-06-16.5 - bl 2008-06-19 18:25:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.53 [GMT 2:00]
Gestart vanuit: D:\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-19 to 2008-06-19 ))))))))))))))))))))))))))))))
.
2008-06-15 16:24 . 2008-06-15 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\bl\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 15:53 . 2007-07-04 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-15 15:53 . 2007-07-04 21:17 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-15 13:47 . 2008-06-15 16:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 13:45 . 2008-06-15 13:45 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 13:45 . 2008-06-15 13:45 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-15 13:38 . 2008-06-15 13:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-15 13:38 . 2008-06-15 13:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-15 13:38 . 2008-06-15 13:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-15 13:37 . 2008-06-15 13:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Program Files\AVG
2008-06-15 13:37 . 2008-06-15 16:01 <DIR> d-------- C:\Documents and Settings\bl\Application Data\AVGTOOLBAR
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-15 13:24 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-15 12:48 . 2008-06-15 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-06-15 12:39 . 2008-06-15 12:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-15 12:33 . 2008-06-15 12:49 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-15 12:32 . 2004-08-04 01:03 61,440 --------- C:\WINDOWS\system32\logman.exe
2008-06-15 12:32 . 2004-08-04 01:03 9,728 --------- C:\WINDOWS\system32\proxycfg.exe
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\peernet
2008-06-15 12:24 . 2008-06-15 12:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 12:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002353_.tmp
2008-06-15 12:15 . 2004-08-03 22:43 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-15 12:10 . 2008-06-15 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-06-15 11:42 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-15 10:05 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-15 10:05 . 2004-08-04 00:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-08 14:55 . 2008-06-13 03:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-15 11:44 --------- d-----w C:\Program Files\Java
2008-05-23 04:25 --------- d-----w C:\Documents and Settings\bl\Application Data\U3
2008-04-26 20:46 --------- d-----w C:\Program Files\Philips
2008-04-26 20:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 20:45 --------- d-----w C:\Documents and Settings\bl\Application Data\InstallShield
2008-04-02 21:52 98,048 ----a-w C:\WINDOWS\system32\dciman3.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_16.42.21,93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 13:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:12:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:13:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-15 13:45 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-15 13:45 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
2008-04-02 23:52 98048 --a------ C:\WINDOWS\System32\dciman3.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-08 21:31 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WINPROC AUDIT"="C:\OEMCUST\TOOLS\WIN32\WINPROC.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE " [2002-01-28 09:43 35328]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2002-06-19 18:51 192512]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 13:37 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Corel Registration.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Corel Registration.lnk
backup=C:\WINDOWS\pss\Corel Registration.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL 9.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL 9.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL-signalen.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL-signalen.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL-signalen.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 17:10 23237416 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-15 13:45 136600 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-08 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 20:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"|"= |:Program Access Service
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R0 tivstscd;tivstscd;C:\WINDOWS\system32\drivers\ezfn qdrt.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 13:38]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsm pdrv.sys [2002-06-07 12:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 13:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 13:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 13:38]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe [2001-08-06 06:41]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 12:17]
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys [2001-09-20 11:33]
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cvia hal.sys [2001-09-20 11:36]
.
Inhoud van de 'Gedeelde Taken' map
"2007-07-05 20:24:29 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-07-19 21:35:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-06-13 01:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 18:29:34
Windows 5.1.2600 Service Pack 2 NTFS

**Roelof** · 19 June 2008, 19:49

hoi Kokki,

Ik mis het onderste gedeelte van het logje.
Kun je het combofix logje even helemaal plaatsen.

Roelof

**Kokki** · 19 June 2008, 19:58

Sorry, dat was me niet opgevallen

ComboFix 08-06-16.5 - bl 2008-06-19 18:25:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.53 [GMT 2:00]
Gestart vanuit: D:\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-19 to 2008-06-19 ))))))))))))))))))))))))))))))
.
2008-06-15 16:24 . 2008-06-15 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\bl\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 15:53 . 2007-07-04 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-15 15:53 . 2007-07-04 21:17 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-15 13:47 . 2008-06-15 16:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 13:45 . 2008-06-15 13:45 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 13:45 . 2008-06-15 13:45 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-15 13:38 . 2008-06-15 13:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-15 13:38 . 2008-06-15 13:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-15 13:38 . 2008-06-15 13:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-15 13:37 . 2008-06-15 13:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Program Files\AVG
2008-06-15 13:37 . 2008-06-15 16:01 <DIR> d-------- C:\Documents and Settings\bl\Application Data\AVGTOOLBAR
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-15 13:24 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-15 12:48 . 2008-06-15 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-06-15 12:39 . 2008-06-15 12:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-15 12:33 . 2008-06-15 12:49 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-15 12:32 . 2004-08-04 01:03 61,440 --------- C:\WINDOWS\system32\logman.exe
2008-06-15 12:32 . 2004-08-04 01:03 9,728 --------- C:\WINDOWS\system32\proxycfg.exe
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\peernet
2008-06-15 12:24 . 2008-06-15 12:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 12:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002353_.tmp
2008-06-15 12:15 . 2004-08-03 22:43 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-15 12:10 . 2008-06-15 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-06-15 11:42 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-15 10:05 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-15 10:05 . 2004-08-04 00:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-08 14:55 . 2008-06-13 03:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-15 11:44 --------- d-----w C:\Program Files\Java
2008-05-23 04:25 --------- d-----w C:\Documents and Settings\bl\Application Data\U3
2008-04-26 20:46 --------- d-----w C:\Program Files\Philips
2008-04-26 20:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 20:45 --------- d-----w C:\Documents and Settings\bl\Application Data\InstallShield
2008-04-02 21:52 98,048 ----a-w C:\WINDOWS\system32\dciman3.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_16.42.21,93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 13:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:12:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 16:13:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-15 13:45 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-15 13:45 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
2008-04-02 23:52 98048 --a------ C:\WINDOWS\System32\dciman3.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-08 21:31 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WINPROC AUDIT"="C:\OEMCUST\TOOLS\WIN32\WINPROC.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE " [2002-01-28 09:43 35328]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2002-06-19 18:51 192512]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 13:37 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Corel Registration.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Corel Registration.lnk
backup=C:\WINDOWS\pss\Corel Registration.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL 9.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL 9.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL-signalen.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL-signalen.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL-signalen.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 17:10 23237416 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-15 13:45 136600 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-08 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 20:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"|"= |:Program Access Service
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R0 tivstscd;tivstscd;C:\WINDOWS\system32\drivers\ezfn qdrt.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 13:38]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsm pdrv.sys [2002-06-07 12:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 13:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 13:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 13:38]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe [2001-08-06 06:41]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 12:17]
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys [2001-09-20 11:33]
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cvia hal.sys [2001-09-20 11:36]
.
Inhoud van de 'Gedeelde Taken' map
"2007-07-05 20:24:29 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-07-19 21:35:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-06-13 01:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 18:29:34
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t ivstscd]
"ImagePath"="system32\drivers\ezfnqdrt.dat"
.
Voltooingstijd: 2008-06-19 18:34:31
ComboFix-quarantined-files.txt 2008-06-19 16:34:23
Pre-Run: 28,386,316,288 bytes beschikbaar
Post-Run: 28,376,961,024 bytes beschikbaar
155 --- E O F --- 2008-06-15 11:34:32

**Roelof** · 20 June 2008, 13:00

Hoi Kokki,

Open Kladblok, kopiëer en plak de onderstaande vette tekst in een leeg venster:

File::
C:\WINDOWS\system32\dciman3.dll

Registry::

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Brow ser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\t ivstscd]

Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.

Groetjes,

Roelof

**Kokki** · 20 June 2008, 16:51

Hey Roelof,
dciman3 is nog niet weg. Heb het tweemaal geprobeerd, de laatste keer met avg uit. Dit is het laatste logje.

ComboFix 08-06-16.5 - bl 2008-06-20 16:32:12.4 - NTFSx86
Gestart vanuit: C:\Documents and Settings\bl\Bureaublad\ComboFix.exe
Command switches used :: D:\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE ::
C:\WINDOWS\system32\dciman3.dll
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dciman3.dll . . . . konden niet verwijderd worden
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-20 to 2008-06-20 ))))))))))))))))))))))))))))))
.
2008-06-15 16:24 . 2008-06-15 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\bl\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 15:53 . 2007-07-04 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-15 15:53 . 2007-07-04 21:17 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-15 13:47 . 2008-06-20 15:48 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 13:45 . 2008-06-15 13:45 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 13:45 . 2008-06-15 13:45 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-15 13:38 . 2008-06-15 13:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-15 13:38 . 2008-06-15 13:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-15 13:38 . 2008-06-15 13:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-15 13:37 . 2008-06-15 13:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Program Files\AVG
2008-06-15 13:37 . 2008-06-15 16:01 <DIR> d-------- C:\Documents and Settings\bl\Application Data\AVGTOOLBAR
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-15 13:24 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-15 12:48 . 2008-06-15 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-06-15 12:39 . 2008-06-15 12:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-15 12:33 . 2008-06-15 12:49 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-15 12:32 . 2004-08-04 01:03 61,440 --------- C:\WINDOWS\system32\logman.exe
2008-06-15 12:32 . 2004-08-04 01:03 9,728 --------- C:\WINDOWS\system32\proxycfg.exe
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\peernet
2008-06-15 12:24 . 2008-06-15 12:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 12:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002353_.tmp
2008-06-15 12:15 . 2004-08-03 22:43 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-15 12:10 . 2008-06-15 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-06-15 11:42 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-15 10:05 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-15 10:05 . 2004-08-04 00:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-08 14:55 . 2008-06-13 03:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-15 11:44 --------- d-----w C:\Program Files\Java
2008-05-23 04:25 --------- d-----w C:\Documents and Settings\bl\Application Data\U3
2008-04-26 20:46 --------- d-----w C:\Program Files\Philips
2008-04-26 20:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 20:45 --------- d-----w C:\Documents and Settings\bl\Application Data\InstallShield
2008-04-02 21:52 98,048 ----a-w C:\WINDOWS\system32\dciman3.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_16.42.21,93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 13:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 14:37:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-15 13:45 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-15 13:45 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
2008-04-02 23:52 98048 --a------ C:\WINDOWS\System32\dciman3.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-08 21:31 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WINPROC AUDIT"="C:\OEMCUST\TOOLS\WIN32\WINPROC.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE " [2002-01-28 09:43 35328]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2002-06-19 18:51 192512]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 13:37 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Corel Registration.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Corel Registration.lnk
backup=C:\WINDOWS\pss\Corel Registration.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL 9.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL 9.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL-signalen.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL-signalen.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL-signalen.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 17:10 23237416 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-15 13:45 136600 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-08 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 20:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"|"= |:Program Access Service
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R0 tivstscd;tivstscd;C:\WINDOWS\system32\drivers\ezfn qdrt.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 13:38]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsm pdrv.sys [2002-06-07 12:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 13:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 13:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 13:38]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe [2001-08-06 06:41]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 12:17]
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys [2001-09-20 11:33]
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cvia hal.sys [2001-09-20 11:36]
.
Inhoud van de 'Gedeelde Taken' map
"2007-07-05 20:24:29 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-07-19 21:35:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-06-13 01:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 16:38:39
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\t ivstscd]
"ImagePath"="system32\drivers\ezfnqdrt.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Java\jre6\bin\jqs.exe
C:\APPS\ActivBoard\Traymon.exe
C:\APPS\ActivBoard\osd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-06-20 16:45:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 14:44:47
ComboFix2.txt 2008-06-20 14:05:10
ComboFix3.txt 2008-06-19 16:34:34
Pre-Run: 28,457,218,048 bytes beschikbaar
Post-Run: 28,448,419,840 bytes beschikbaar
173 --- E O F --- 2008-06-15 11:34:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:18, on 20/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F038EDCF-F9F2-4830-82C0-C83F4762AF04} - C:\WINDOWS\System32\dciman3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WINPROC AUDIT] C:\OEMCUST\TOOLS\WIN32\WINPROC.EXE C:\CABS\SCRIPTS\PROCESS\AUDIT.SCR C:\DRIVERS\PROCESS.TXT /TRACE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1213522710498
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 6129 bytes

**Roelof** · 21 June 2008, 19:15

Voorstel :

Hoi Kokki,

We gaan even het script iets veranderen en kijken of dat helpt.

Code:

 
Rootkit::
C:\WINDOWS\system32\dciman3.dll
 
Driver::
tivstscd
 
Registry::
 
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Browser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\tivstscd

Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.

Groetjes,

Roelof

**Kokki** · 23 June 2008, 17:58

weer niets Roelof. Ik heb wel geen meldingen meer gekregen van avg. Ik moet eens uitzoeken of ik niet toevallig eens op negeer heb geklikt ipv verwijder.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54:50, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F038EDCF-F9F2-4830-82C0-C83F4762AF04} - C:\WINDOWS\System32\dciman3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WINPROC AUDIT] C:\OEMCUST\TOOLS\WIN32\WINPROC.EXE C:\CABS\SCRIPTS\PROCESS\AUDIT.SCR C:\DRIVERS\PROCESS.TXT /TRACE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1213522710498
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
--
End of file - 6827 bytes

ComboFix 08-06-16.5 - bl 2008-06-23 17:36:15.5 - NTFSx86
Gestart vanuit: C:\Documents and Settings\bl\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\bl\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\dciman3.dll . . . . konden niet verwijderd worden
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TIVSTSCD
-------\Service_tivstscd

(((((((((((((((((((( Bestanden Gemaakt van 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))
.
2008-06-21 09:47 . 2008-06-21 09:47 <DIR> d-------- C:\Program Files\Driver-Soft
2008-06-21 09:47 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-06-21 09:29 . 2008-06-21 09:29 395,744 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-06-21 09:29 . 2008-06-21 09:29 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-06-21 09:29 . 2008-06-21 09:29 39,264 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-06-21 09:27 . 2008-06-21 09:28 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-06-21 09:27 . 2008-06-21 09:27 <DIR> d-------- C:\Program Files\Acronis
2008-06-15 16:24 . 2008-06-15 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\bl\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:10 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:10 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 15:53 . 2007-07-04 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-15 15:53 . 2007-07-04 21:17 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-15 15:53 . 2007-07-04 21:03 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-15 15:53 . 2007-07-04 21:32 <DIR> dr------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-15 15:53 . 2007-07-04 21:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-06-15 15:53 . 2008-06-15 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-15 13:47 . 2008-06-20 15:48 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-15 13:45 . 2008-06-15 13:45 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-15 13:45 . 2008-06-15 13:45 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-15 13:38 . 2008-06-15 13:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-15 13:38 . 2008-06-15 13:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-15 13:38 . 2008-06-15 13:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-15 13:37 . 2008-06-21 10:26 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Program Files\AVG
2008-06-15 13:37 . 2008-06-15 16:01 <DIR> d-------- C:\Documents and Settings\bl\Application Data\AVGTOOLBAR
2008-06-15 13:37 . 2008-06-15 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-15 13:24 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-15 12:48 . 2008-06-15 12:48 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2008-06-15 12:39 . 2008-06-15 12:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-15 12:33 . 2008-06-15 12:49 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-15 12:32 . 2004-08-04 01:03 61,440 --------- C:\WINDOWS\system32\logman.exe
2008-06-15 12:32 . 2004-08-04 01:03 9,728 --------- C:\WINDOWS\system32\proxycfg.exe
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-15 12:30 . 2008-06-15 12:30 <DIR> d-------- C:\WINDOWS\peernet
2008-06-15 12:24 . 2008-06-15 12:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 12:16 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002353_.tmp
2008-06-15 12:15 . 2004-08-03 22:43 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-15 12:10 . 2008-06-15 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-06-15 11:42 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-15 10:05 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-15 10:05 . 2004-08-04 00:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-08 14:55 . 2008-06-13 03:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-21 09:00 --------- d-----w C:\Documents and Settings\bl\Application Data\LimeWire
2008-06-15 11:44 --------- d-----w C:\Program Files\Java
2008-05-23 04:25 --------- d-----w C:\Documents and Settings\bl\Application Data\U3
2008-04-26 20:46 --------- d-----w C:\Program Files\Philips
2008-04-26 20:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 20:45 --------- d-----w C:\Documents and Settings\bl\Application Data\InstallShield
2008-04-02 21:52 98,048 ----a-w C:\WINDOWS\system32\dciman3.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-15_16.42.21,93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 13:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 15:42:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2006-10-16 18:49:08 17,440 ----a-w C:\WINDOWS\system32\acrotls.dll
- 2004-08-03 23:03:18 1,392,671 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2004-02-23 18:42:40 1,386,496 ----a-w C:\WINDOWS\system32\MSVBVM60.DLL
+ 2006-10-16 19:13:38 14,368 ----a-w C:\WINDOWS\system32\relog_ap.dll
+ 2006-10-16 03:12:54 206,368 ----a-w C:\WINDOWS\system32\snapapi.dll
+ 2008-06-23 15:44:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-15 13:45 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-15 13:45 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F038EDCF-F9F2-4830-82C0-C83F4762AF04}]
2008-04-02 23:52 98048 --a------ C:\WINDOWS\System32\dciman3.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-08 21:31 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WINPROC AUDIT"="C:\OEMCUST\TOOLS\WIN32\WINPROC.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE " [2002-01-28 09:43 35328]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2002-06-19 18:51 192512]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-15 13:37 1177368]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12 1164912]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Corel Registration.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Corel Registration.lnk
backup=C:\WINDOWS\pss\Corel Registration.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL 9.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL 9.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CorelCENTRAL-signalen.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\CorelCENTRAL-signalen.LNK
backup=C:\WINDOWS\pss\CorelCENTRAL-signalen.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Desktop Application Director 9.LNK]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Desktop Application Director 9.LNK
backup=C:\WINDOWS\pss\Desktop Application Director 9.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 07:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-07-02 17:10 23237416 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-15 13:45 136600 C:\Program Files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-08 21:31 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-18 20:48 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"|"= |:Program Access Service
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R0 tivstscd;tivstscd;C:\WINDOWS\system32\drivers\ezfn qdrt.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-15 13:38]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsm pdrv.sys [2002-06-07 12:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-15 13:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-15 13:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-15 13:38]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe [2001-08-06 06:41]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe [2002-05-16 12:17]
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys [2001-09-20 11:33]
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cvia hal.sys [2001-09-20 11:36]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{50bc45e6-3f62-11dd-b118-0050ba31b3f0}]
\Shell\AutoRun\command - CDstart.exe
*Newly Created Service* - TIVSTSCD
.
Inhoud van de 'Gedeelde Taken' map
"2007-07-05 20:24:29 C:\WINDOWS\Tasks\Herinnering voor registratie 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-07-19 21:35:11 C:\WINDOWS\Tasks\Herinnering voor registratie 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-06-13 01:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 17:44:02
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\t ivstscd]
"ImagePath"="system32\drivers\ezfnqdrt.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\APPS\ActivBoard\Traymon.exe
C:\APPS\ActivBoard\osd.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-06-23 17:50:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 15:50:19
ComboFix2.txt 2008-06-20 14:45:10
ComboFix3.txt 2008-06-20 14:05:10
ComboFix4.txt 2008-06-19 16:34:34
Pre-Run: 28,123,172,864 bytes beschikbaar
Post-Run: 28,062,994,432 bytes beschikbaar
201 --- E O F --- 2008-06-15 11:34:32

Discussie: hijackthis log: krijg virus niet verwijderd

Discussietools

Discussie doorzoeken

Weergave

hijackthis log: krijg virus niet verwijderd

De volgende gebruiker bedankt Roelof voor deze nuttige post:

De volgende gebruiker bedankt Roelof voor deze nuttige post:

De volgende gebruiker bedankt Roelof voor deze nuttige post:

De volgende gebruiker bedankt Roelof voor deze nuttige post:

De volgende gebruiker bedankt Roelof voor deze nuttige post:

Discussie informatie

Users Browsing this Thread

Soortgelijke discussies

Virus kan niet verwijderd worden

Krijg McAffee niet verwijderd

VIRUS ALERT HijackThis!!

Virus kan niet verwijderd wworden

Favorieten/bladwijzers

Favorieten/bladwijzers

Regels voor berichten