probleempje: zéér traag in alles,voortdurend melding' no ho travato
nessun modem per la connessione' - krijg ook ook een norton melding
'TROJAN.GALAPOPER.A 'is verwijderd
explorer wordt ook konstant afgebroken.
Heb HITMAN PRO als gedraaid, maar zonder resultaat

alvast bedankt om volgend logje te bekijken:

Logfile of HijackThis v1.99.1
Scan saved at 21:06:27, on 20/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\inet20004\services.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.ex e
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\dthbgdyA.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\DOCUME~1\RAF\LOCALS~1\Temp\25369\gm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\{905B67D1-0A6A-2067-0926-030308220020}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\fzq.exe
C:\WINDOWS\qkw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\RAF\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.belcast.be/nl/search/ie5.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skynet.be
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skynet.be/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;;localhost;<LOCAL>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {D076141A-1231-466B-2B73-0BFAE634EFA3} - ABCXYZ.dll (file missing)
R3 - URLSearchHook: (no name) - {BBC23A4C-AEDE-734D-5474-111718D4D11F} - mozilla-text.dll (file missing)
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{0AE3648B-D3DB-41B9-A675-4A57A9B8AA05}.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{305B67D1-0A6A-2067-0926-030308220020}\888.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [uio] DCC_send.exe
O4 - HKLM\..\Run: [hyandex] WhatsNewBot.exe
O4 - HKLM\..\Run: [jopplerg] scanSYS.exe
O4 - HKLM\..\Run: [wormexe] clamav.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\Run: [dthbgdyA] C:\WINDOWS\dthbgdyA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\RAF\LOCALS~1\Temp\25369\gm.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzaw.dll,startup
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [dmibo.exe] C:\WINDOWS\system32\dmibo.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [XTermInit] powerdll.exe
O4 - HKCU\..\Run: [dialer423] xxtoolbar.exe
O4 - HKCU\..\Run: [StatusCheck] DTOURS.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [driver64] stuffmon.exe
O4 - HKCU\..\Run: [ATLIEHELPER] init32.exe
O4 - HKCU\..\Run: [AppMasterCenter] 321102.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - Startup: antispysoldier.lnk = C:\Program Files\Antispyware Soldier\antispysoldier.exe
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.skynet.be
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130316975660
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F74C3DB-F043-40AF-BBD7-220A54E806A0}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F90F28D-D6EA-4F7F-B197-0BE98E71BFD9}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{252CA526-0F53-4519-973F-BE68EC508CB6}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{5626C709-8FFC-4529-A796-3BB51F807B94}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE7985E2-0F73-4F92-BA9A-85A0B883E13C}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.18 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F74C3DB-F043-40AF-BBD7-220A54E806A0}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.18 85.255.112.148
O17 - HKLM\System\CS3\Services\Tcpip\..\{1F74C3DB-F043-40AF-BBD7-220A54E806A0}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.18 85.255.112.148
O17 - HKLM\System\CS4\Services\Tcpip\..\{1F74C3DB-F043-40AF-BBD7-220A54E806A0}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.18 85.255.112.148
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\system32\towgl.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\lwdbu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Je kan beter deze instructies opslaan omdat je pc zal moeten herstarten.
Download Wareoutfix van één van deze twee site's:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Sla het op op je bureaublad en laat het runnen. Klik dan op Next, dan op Install, wees zeker dat "Run fixit" is aangevinkt en klik op Finish. De fix zal beginnen; volg de instructies die je krijgt. Er zal gevraagd worden of je je pc wilt herstarten; doe dit ook. Je computer zal nu wat trager opstarten, dit is normaal


Wanneer het bureaublad verschenen is, zal je een tekstbestandje zien te voorschijn komen (report.txt), post daarvan de inhoud hier met een nieuw hijackthis logje.

2de link vindt'm niet, 1e link ginstalleerd,maar krijgt tijdens de run foutmelding:'kan geen verbinding met internet maken'

heb nog maar eens geprobeerd,maar noppes.
vraagt bfu.zip te downloaden en toe te voegen aan de wareout batch?

Hier lukt het hoor...Wellicht wordt die geblokkeerd door malware, doe eerst eens het volgende:

Download combofix.exe: http://download.bleepingcomputer.com/sUBs/combofix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt) Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

Wendy, er is meer aan de hand dan dat hoor. :)

hierbij al de combofix log

RAF - di 21/11/2006 20:31:17,54 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\RAF\Bureaublad"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\kernels8.exe
C:\Program Files\Common Files\{305B67D1-0A6A-2067-0926-030308220020}
C:\Program Files\Common Files\{905B67D1-0A6A-2067-0926-030308220020}

((((((((((((((((((((((((((((((( Files Created from 2021-10-06 to 2021/11/2006 ))))))))))))))))))))))))))))))))))


No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
Rootkit driver pe386 is present. A rootkit scan is required


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"XTermInit"="powerdll.exe"
"dialer423"="xxtoolbar.exe"
"StatusCheck"="DTOURS.exe"
"KillAndClean"="\"C:\\Program Files\\KillAndClean\\KillAndClean.exe\""
"driver64"="stuffmon.exe"
"ATLIEHELPER"="init32.exe"
"AppMasterCenter"="321102.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\runonce]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\runonce\Srv32 spool service]
"Adware.Srv32"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ESB"="C:\\WINDOWS\\System32\\ESB.exe"
"4mtcsb"="C:\\WINDOWS\\System32\\4mtcsb.exe"
"VCSPlayer"="\"C:\\Program Files\\Virtual CD v4 SDK\\system\\vcsplay.exe\""
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"DigidesignMMERefresh"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"
"AME_CSA"="rundll32 amecsa.cpl,RUN_DLL"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"uio"="DCC_send.exe"
"hyandex"="WhatsNewBot.exe"
"jopplerg"="scanSYS.exe"
"wormexe"="clamav.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Adware.Srv32"="C:\\WINDOWS\\system32\\runsrv32.exe"
"Transponder"="C:\\WINDOWS\\system32\\susp.exe"
"dthbgdyA"="C:\\WINDOWS\\dthbgdyA.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvzaw.dll,startup"
"ControlPanel"="C:\\WINDOWS\\system32\\cmd32.exe internat.dll,LoadKeyboardProfile"
"dmiqn.exe"="C:\\WINDOWS\\system32\\"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce\Srv32 spool service]
"Adware.Srv32"=""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00, 00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00, 00,02,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00, 00,02,03,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
"{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"="DCOM Server 3339"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{0E55CC01-8113-487B-92F2-98C24D98A57F}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoDrives"=dword:0000e000
"NoDriveAutoRun"=dword:0000e000
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000001
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 3339"="{2C1CD3D7-86AC-4068-93BC-A02304BB3339}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnlkk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\windav32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaaab
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1099914943.job
C:\WINDOWS\tasks\Herinnering voor registratie 1.job
C:\WINDOWS\tasks\Herinnering voor registratie 2.job
C:\WINDOWS\tasks\Herinnering voor registratie 3.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Mijn computer scannen.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: di 21/11/2006 20:47:09,96
C:\ComboFix.txt ... 21/11/2006 20:47
C:\ComboFix2.txt ... 21/11/2006 19:56

1. Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 naar je Bureaublad. Klik op Avenger.zip om het uit te pakken naar je bureaublad
2. Nu, start The Avenger door op het icoontje met het zwaard te dubbelklikken. Onder "Script file to execute" kies "Input Script Manually". Klik op het vergrootglas icoontje die een niew venster zal openen met de naam "View/edit script" Kopieer en plak volgend volledig vetgedrukt erin:

Drivers to unload:
pe386

Opgelet: Bovenstaande code werd enkel gemaakt voor deze computer/situatie/user. Indien je deze code op een andere computer gebruikt kan het schade toebrengen!
Klik Done Daarna klik op het Groen verkeerslicht om het script uit te voeren Antwoord "Yes/Ja" wanneer daarnaar gevraagd wordt.
3. The Avenger zal daarna het volgende doen: Uw computer herstarten. ( In gevallen waar het script een code bevat met "Drivers to Unload", dan zal The Avenger tweemaal uw systeem herstarten) Na herstart, zal het vlug een zwart command window openen. Dit is normaal. Na herstart, zal het een log maken die zal openen met de resultaten van The Avenger. Deze log zal te vinden zijn op C:\avenger.txt The Avenger maakt ook backups aan met alle bestanden, etc., die eerder werden verwijderd door The Avenger, deze backups bevinden zich op volgende plaats: C:\avenger\backup.zip.
4. Kopieer en plak de inhoud van avenger.txt in je volgende post samen met een nieuw hijackthislog.

Logfile of HijackThis v1.99.1
Scan saved at 21:57:27, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\inet20004\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.ex e
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\dthbgdyA.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\wupdmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\RAF\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.belcast.be/nl/search/ie5.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skynet.be
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skynet.be/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {D076141A-1231-466B-2B73-0BFAE634EFA3} - ABCXYZ.dll (file missing)
R3 - URLSearchHook: (no name) - {BBC23A4C-AEDE-734D-5474-111718D4D11F} - mozilla-text.dll (file missing)
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20004\services.exe
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{0AE3648B-D3DB-41B9-A675-4A57A9B8AA05}.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [uio] DCC_send.exe
O4 - HKLM\..\Run: [hyandex] WhatsNewBot.exe
O4 - HKLM\..\Run: [jopplerg] scanSYS.exe
O4 - HKLM\..\Run: [wormexe] clamav.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [dthbgdyA] C:\WINDOWS\dthbgdyA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzaw.dll,startup
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\Run: [dmxdt.exe] C:\WINDOWS\system32\dmxdt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [XTermInit] powerdll.exe
O4 - HKCU\..\Run: [dialer423] xxtoolbar.exe
O4 - HKCU\..\Run: [StatusCheck] DTOURS.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [driver64] stuffmon.exe
O4 - HKCU\..\Run: [ATLIEHELPER] init32.exe
O4 - HKCU\..\Run: [AppMasterCenter] 321102.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - Startup: antispysoldier.lnk = C:\Program Files\Antispyware Soldier\antispysoldier.exe
O4 - Startup: Slide.exe.lnk = C:\Program Files\Slide\Slide.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.skynet.be
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130316975660
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F74C3DB-F043-40AF-BBD7-220A54E806A0}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F90F28D-D6EA-4F7F-B197-0BE98E71BFD9}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{252CA526-0F53-4519-973F-BE68EC508CB6}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{5626C709-8FFC-4529-A796-3BB51F807B94}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE7985E2-0F73-4F92-BA9A-85A0B883E13C}: NameServer = 85.255.114.18,85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.18 85.255.112.148
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 3339 - {2C1CD3D7-86AC-4068-93BC-A02304BB3339} - C:\WINDOWS\system32\towgl.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\lwdbu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\bixqmbvd
*******************
Script file located at: \??\C:\WINDOWS\yplwrysy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver pe386 unloaded successfully.
Completed script processing.
*******************
Finished! Terminate.

Je kan beter deze instructies opslaan omdat je pc zal moeten herstarten.
Download Wareoutfix van één van deze twee site's:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Sla het op op je bureaublad en laat het runnen. Klik dan op Next, dan op Install, wees zeker dat "Run fixit" is aangevinkt en klik op Finish. De fix zal beginnen; volg de instructies die je krijgt. Er zal gevraagd worden of je je pc wilt herstarten; doe dit ook. Je computer zal nu wat trager opstarten, dit is normaal


Wanneer het bureaublad verschenen is, zal je een tekstbestandje zien te voorschijn komen (report.txt), post daarvan de inhoud hier met een nieuw hijackthis logje.
Kan je deze stap nog eens proberen?

jurgen,
heb nog eens de subratam geprobeerd, maar nog steeds niks

krijg bij opstarten ook melding c: windows/system32/kklnn.ini is beschadigd en onleesbaar,voer CHKDSK uit
internet explo gaat ondertussen wel al wat vlotter.
bedankt alvast voor je tijd en raad-'t is precies een moeilijke bevalling

Voer eens het volgende uit:

* Je kan deze instructies best uitprinten of opslaan in een kladblokbestand, want straks zal je in veilige modus
moeten gaan werken, en dan is deze pagina niet beschikbaar (geen internet)

* Download smitRem.exe (http://www.downloads.subratam.org/smitRem.exe) en sla dit op op het Bureaublad.
Dubbelklik op het bestand en pak het uit naar zijn eigen map op het Bureaublad.


* Download en installeer AVG Anti-Spyware (http://www.ewido.net/en/download/).
Na de installatie, open AVG Anti-Spyware:
* onder "Status", klik op Change state naast "Resident shield". (wijzig van active naar inactive!)
* onder "Update", klik op de Start update knop.
* onder "Scanner", tab "Settings":- onder "How to act?", klik op "Recommended actions" en selecteer Quarantine. (ZEER BELANGRIJK!)
* onder "Reports", selecteer Automatically generate report after every scan en verwijder het vinkje bij Only if threats were found
Sluit AVG Anti-Spyware. Laat het nog niet scannen.

* Als je Adaware SE nog niet geïnstalleerd hebt, download, installeer en update het dan volgens de richtlijnen
die je kan vinden op: http://users.pandora.be/marcvn/spyware/1414188.htm
Download link van Ad-aware: http://www.lavasoftusa.com/products/ad-aware_se_personal.php

* Start je computer op in VEILIGE MODUS (http://users.pandora.be/marcvn/spyware/1378056.htm)

* Open de smitrem-map op je bureaublad, en dubbelklik op RunThis.bat. Volg de aanwijzigingen op het scherm.
Je bureaublad en ikoontjes zullen even verdwijnen en daarna terug verschijnen, dit is normaal.
Wacht tot het tooltje zijn werk heeft gedaan en Disk Cleanup afgelopen is. Dit kan enige tijd duren, dus wees geduldig.

* Voer een volledige scan uit met Adaware en verwijder alles wat gevonden wordt.

* Start AVG Anti-Spyware.* Klik op Scan en kies Complete System Scan.
Na de scan; volg onderstaande instructies :
BELANGRIJK : Klik niet op de "Save Scan Report" knop vooraleer je de "Apply all Actions" knop hebt aangeklikt !
* Draag er zorg voor dat Set all elements to: op Quarantine staat (1),
zoniet klik op de link en kies Quarantine in de popup menu. (2)
(Dit geldt niet voor cookies, deze worden onveranderlijk gedelete !)
* Onderaan het venster klik op de Apply all Actions knop. (3)
http://home.scarlet.be/~topalex/ewidoscan.jpg
* Wanneer je de melding krijgt 'All actions have been applied', klik je onderaan op de knop Save Report.

* Ga dan naar Start -> configuratiescherm -> vormgeving en thema's -> bureaublad ->bureaublad aanpassen -> Website -> haal het vinkje weg bij "Security Info" als het er nog staat.

* Herstart je computer in normale modus.

* Download ATF cleaner (http://www.atribune.org/ccount/click.php?id=1) (by Atribune)

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Gebruik je ook Firefox als browser:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit verwijdert het vinkje bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Gebruik je ook Opera als browser:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

* Doe een online scan via Panda's online virus scan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) en bewaar het rapport dat je krijgt na het scannen

* Herstart je pc nogmaals en plaats dan een nieuw logje van Hijackthis, samen met het rapport van AVG Anti-Spyware 7.5 en Panda, Post de log van de smitRem tool, die je hier kan vinden: C:\smitfiles.txt.