Logje + virus (Win32/PEPatch.Y) [Archief]

Volledige versie bekijken : Logje + virus (Win32/PEPatch.Y)

29 January 2008, 19:09

hey gasten , Ik heb zojuist een AVG een scan laten doorvoeren want de laatste dagen deed mijn pc enorm raar. Ik kreeg veel foutmeldingen bij het openen van windows explorer en programma's als msn messenger. Verder gebeurt het soms als ik op mijn bureaublad mappen wil openen (deze computer enz) dat mijn bureaublad ...uum refreshed :wtf:.

Een heel zootje dus. Met de avg scan zat er blijkbaar heel wat mallware op mijn pc en dat heb ik ondertussen al buitengekiept maar het grootste probleem blijft nog over , het virus : Win32/PEPatch.Y

meer specifieke info over het virus van AVG :

Object name: Winlogon.exe
Object Path: D:\\WINDOWS\system32\
Discovery: Virus identified Win32/PEPatch.Y
File size: 507.5 KB
healable: No
source: moved object
status: infected

Dus ik zeg : owkeej wipe object :shy: ... pc valt uit en herstart met gevolg dat windows niet meer wil inloggen ( kreeg zon blauw scherm met logon en foutmelding)... oeps. Gelukkig kon ik alles dan toch heropstarten met de voorgaande instellingen maar ik zit nu nog steeds met dat virus. Dus als ik het wil verwijderen dan zit ik vast door windows die niet meer wil werken. ( 2 keer geprobeerd om zeker te zijn dat het virus de oorzaak was.):wall:

googlen op het virus hielp niets :eek:.

AH tot slot nog een andere vraagje ook :lol: : sinds deze week kan ik zowel met firefox als met IE een website niet meer bereiken (foutmelding). De website is nochtans niet offline en andere surfers kunnen de site nog steeds bereiken. Very strange hé :p. ( Het is de enige website waar ik dit probleem heb)....

Ok bij deze ook mijn logje ... en zoeken maar :bow:

Scan saved at 17:49:21, on 29/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\mmall.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\vbuzzer\VBuzzer.exe
D:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
G:\1OA~1\Mozilla Firefox\firefox.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\mmoc.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\Grisoft\AVG7\avgwb.dat
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Grisoft\AVG7\avgcc.exe
G:\1OA~1\Mozilla Firefox\firefox.exe
D:\Program Files\Grisoft\AVG7\avgvv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - D:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
F3 - REG:win.ini: run=D:\WINDOWS\mmall.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - D:\WINDOWS\System32\winload.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - D:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - D:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: (no name) - {BDFDF7D4-AA39-4385-9A58-ACBB9D3E4BE1} - D:\WINDOWS\System32\compatU.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - D:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - D:\Program Files\Helper\superdirectsearch.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - D:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKLM\..\Run: [Microsoft all] D:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vbuzzer Messenger] D:\Program Files\vbuzzer\VBuzzer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Vbuzzer RSS list - D:\Program Files\vbuzzer\addurl.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E55E6F9A-4485-42E9-9E2F-A79874A91801}: NameServer = 85.255.114.54,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - D:\WINDOWS\System32\winload.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: General Socket Service - Unknown owner - D:\WINDOWS\SVCHOST.EXE (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft I Service - Unknown owner - D:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9335 bytes

Thx!

Rosty

29 January 2008, 20:05

Hoi,

Print dit advies even uit en/of kopieer het naar een leeg kladblokbestand en sla het op op je bureaublad, want je zult moeten herstarten gedurende de fix

Download FixWareout van een van deze twee sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Let op! Als je antivirus een scriptblokker heeft krijg je een waarschuwing zoals "malicious script warning" wanneer je dit tooltje gaat draaien. Je kunt deze waarschuwing negeren en rustig het vbs.bestandje voor een minuut laten draaien.

Sla het tooltje op naar je bureaublad en run het. Klik op “next”, dan op “install” . Zorg ervoor dat "Run fixit" is aangevinkt and klik “finish”.
De fix zal nu beginnen en je kunt de opdrachten uitvoeren die worden gegeven. Er zal worden gevraagd je computer te herstarten; voer dit ook uit. Klik “OK” na de herstart en wacht rustig totdat het scannen is gebeurd.

Zodra de pc opnieuw is opgestart kun je op je bureublad een bestandje vinden report.txt.Bewaar dit bestandje ik heb het later nodig!!!

Note: Als je problemen hebt met de internet verbinding, voer dan het volgende uit:

Ga naar Start > Uitvoeren
Type (of plak) het volgende in de balk: ipconfig /flushdns
Klik OK.

Ga naar het Configuratiescherm en klik op "Netwerkverbindingen". Rechtsklik op je standaard verbinding en kies "Eigenschappen".
Klik op het tabblad "Algemeen" en dubbelklik op "Internet-Protocol (TCP/IP)". Selecteer "Automatisch een DNS-serveradres laten toewijzen".

* Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.

http://www.bleepingcomputer.com/combofix/n...ruikt-te-worden (http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden)

Voer dus de instructies op die pagina uit, dus inclusief het installeren van de XP Recovery Console.
(Indien je geen XP hebt, mag je deze stap ivm de Recovery Console overslaan)

Daarna post je de log van Combofix in je volgende post samen met een nieuw HijackThislog en report.txt van Wareout fix.

29 January 2008, 21:02

Hoi Rosty , ik wil je alvast bedanken voor de tot nu toe geboden hulp . Ik heb je instructies opgevolgd en dit zijn alle resultaten :

Log Combofix :

ComboFix 08-01-29.3 - pieterded 2008-01-29 19:47:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.164 [GMT 1:00]
Gestart vanuit: D:\Documents and Settings\pieterded\Bureaublad\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\drivers\symavc32.sys
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Program Files\Helper
D:\Program Files\Helper\superdirectsearch.dll
D:\WINDOWS\system32\0x57.exe
D:\WINDOWS\system32\3_exception.nls
D:\WINDOWS\system32\DefLib.sys
D:\WINDOWS\system32\drivers\NdisWon.sys
D:\WINDOWS\system32\drivers\NWE45.sys
D:\WINDOWS\system32\drivers\smtpdrv.sys
D:\WINDOWS\system32\drivers\win32.exe
D:\WINDOWS\system32\kr_done1
D:\WINDOWS\system32\mt_32.dll
D:\WINDOWS\system32\winload.dll
D:\WINDOWS\Temp\43621875.exe

----- BITS: Mogelijk ge‹nfecteerde sites -----

hxxp://trf-loader.org
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\LEGACY_NDISWON
-------\LEGACY_NWE45
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\General Socket Service
-------\smtpdrv

(((((((((((((((((((( Bestanden Gemaakt van 2007-12-28 to 2008-01-29 ))))))))))))))))))))))))))))))
.

2008-01-29 17:45 . 2008-01-29 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-29 16:51 . 2008-01-29 16:51 29,184 --a------ D:\WINDOWS\system32\dfsj2364.exe
2008-01-29 16:35 . 2008-01-29 16:35 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\Grisoft
2008-01-29 15:41 . 2008-01-29 16:15 519,680 --a------ D:\WINDOWS\system32\winlogon.exe
2008-01-29 15:19 . 2008-01-29 15:19 23,552 --a------ D:\WINDOWS\mmall.exe
2008-01-29 14:06 . 2008-01-29 18:13 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\AVG7
2008-01-29 14:06 . 2008-01-29 14:06 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-29 14:06 . 2008-01-29 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-01-29 14:05 . 2008-01-29 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 14:05 . 2007-05-30 13:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 22:45 . 2008-01-28 22:45 51,242 --a------ D:\WINDOWS\system32\dfsj2363.exe
2008-01-27 16:34 . 2008-01-27 16:34 29 --a------ D:\WINDOWS\system32\soepweor.tmp
2008-01-25 16:16 . 2008-01-29 15:29 532,480 --a------ D:\WINDOWS\mmoc.exe
2008-01-25 16:16 . 2008-01-29 15:28 532,480 --a------ D:\WINDOWS\mm_tmpoc.exe
2008-01-25 16:16 . 2008-01-29 19:19 4 --a------ D:\WINDOWS\c.pid
2008-01-25 16:15 . 2008-01-25 16:15 23,552 --a------ D:\WINDOWS\system32\dfsj2351.exe
2008-01-25 15:18 . 2008-01-25 15:18 53,248 --a------ D:\WINDOWS\system32\oleauth32.dll
2008-01-25 15:18 . 2008-01-25 15:18 53,248 --------- D:\WINDOWS\system32\mstscex.dll
2008-01-25 15:18 . 2008-01-25 15:18 4,224 --a------ D:\WINDOWS\system32\drivers\kcp.sys
2008-01-24 05:29 . 2008-01-25 17:16 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-24 05:29 . 2008-01-24 05:29 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2008-01-22 04:33 . 2008-01-22 04:33 15,872 --a------ D:\WINDOWS\system32\dfsj2331.exe
2008-01-20 21:19 . 2008-01-20 21:19 29,180 --a------ D:\WINDOWS\system32\wmedia32.exe
2008-01-17 20:28 . 2008-01-17 20:28 28,672 --a------ D:\WINDOWS\system32\dfsj2323.exe
2008-01-17 07:33 . 2008-01-17 07:33 28,672 --a------ D:\WINDOWS\system32\dfsj2313.exe
2008-01-16 17:53 . 2008-01-16 17:53 28,672 --a------ D:\WINDOWS\system32\dfsj2319.exe
2008-01-16 17:53 . 2008-01-29 19:49 25,984 --a------ D:\WINDOWS\system32\drivers\Dns20.sys
2008-01-15 17:55 . 19,456 D:\WINDOWS\system32\drivers\hnkmwhuw.dat
2008-01-15 17:47 . 2008-01-15 17:47 <DIR> d-------- D:\Program Files\Audacity
2008-01-15 17:45 . 2003-04-08 13:00 84,992 --a------ D:\WINDOWS\system32\compatU.dll
2008-01-15 16:12 . 2008-01-15 16:12 60,961 --a------ D:\WINDOWS\system32\dfsj2295.exe
2008-01-15 16:11 . 2008-01-15 16:11 <DIR> dr------- D:\Documents and Settings\LocalService\Favorieten
2008-01-15 16:11 . 2008-01-15 16:11 69,632 --a------ D:\WINDOWS\system32\csrssw.dll
2008-01-15 16:11 . 2008-01-15 16:11 35,840 --a------ D:\WINDOWS\twain_32.exe
2008-01-15 16:11 . 2008-01-15 16:11 18,432 --a------ D:\WINDOWS\system32\dfsj2228.exe
2008-01-15 16:11 . 2008-01-15 16:11 10,000 --a------ D:\WINDOWS\system32\J8dj3jg.dll
2008-01-15 16:11 . 2008-01-15 16:11 10,000 --a------ D:\WINDOWS\system32\Hfkr4g.dll
2008-01-15 16:11 . 2008-01-15 16:11 7,680 --a------ D:\WINDOWS\system32\dfsj2298.exe
2008-01-15 16:11 . 2001-08-17 21:53 7,296 --a------ D:\WINDOWS\system32\drivers\changer.sys
2008-01-15 16:11 . 2001-08-17 21:53 7,296 --a--c--- D:\WINDOWS\system32\dllcache\changer.sys
2008-01-15 16:11 . 2008-01-29 16:51 96 --a------ D:\WINDOWS\system32\svchost.t__
2008-01-15 16:09 . 2008-01-29 16:58 308 --a------ D:\WINDOWS\system32\svchost.tmp
2008-01-15 14:26 . 2008-01-15 14:26 <DIR> d-------- D:\Program Files\QuickTime
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Program Files\Apple Software Update
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2008-01-14 19:05 . 2008-01-14 19:05 <DIR> d-------- D:\WINDOWS\Sun
2008-01-14 19:05 . 2008-01-14 19:05 <DIR> d-------- D:\Documents and Settings\pieterded\.jogl_ext
2008-01-11 10:50 . 2008-01-11 10:50 244 --ah----- D:\sqmnoopt00.sqm
2008-01-11 10:50 . 2008-01-11 10:50 232 --ah----- D:\sqmdata00.sqm
2008-01-09 16:09 . 2008-01-09 16:10 <DIR> d-------- D:\Program Files\Allok 3GP PSP MP4 iPod Video Converter
2008-01-09 16:09 . 2002-10-05 07:04 921,600 --a------ D:\WINDOWS\system32\vorbisenc.dll
2008-01-09 16:09 . 2004-01-11 08:02 258,048 --a------ D:\WINDOWS\system32\GplMpgDec.ax
2008-01-09 16:09 . 2002-10-07 02:42 237,568 --a------ D:\WINDOWS\system32\OggDS.dll
2008-01-09 16:09 . 2002-10-05 07:04 188,416 --a------ D:\WINDOWS\system32\vorbis.dll
2008-01-09 16:09 . 2007-04-12 14:19 129,024 --a------ D:\WINDOWS\system32\AVERM.dll
2008-01-09 16:09 . 2002-10-05 07:04 45,056 --a------ D:\WINDOWS\system32\ogg.dll
2008-01-09 16:09 . 2006-09-26 13:57 28,672 --a------ D:\WINDOWS\system32\AVEQT.dll
2008-01-09 11:06 . 2008-01-09 11:06 <DIR> d-------- D:\Program Files\MorpheusBar
2008-01-08 18:41 . 2008-01-08 18:41 <DIR> d-------- D:\Program Files\Soldier of Fortune II - Double Helix
2008-01-08 15:12 . 2008-01-08 15:12 <DIR> d-------- D:\Program Files\Astro Gemini Software
2008-01-08 15:12 . 2008-01-08 15:12 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\Astro Gemini Software
2008-01-08 15:12 . 2007-12-12 16:34 22,495,232 --a------ D:\WINDOWS\system32\Winter Night 3D Screensaver.scr
2008-01-08 15:12 . 2007-11-06 17:46 106,496 --a------ D:\WINDOWS\system32\Astro Gemini Screensaver Manager.scr

Log report/ Wareout Fix.

Username "pieterded" - 29/01/2008 19:13:16 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrvo.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters
"nameserver"="85.255.114.54 85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\tcpip\parameters\interfaces\{E55E6F9A-4485-42E9-9E2F-A79874A91801}
"nameserver"="85.255.114.54,85.255.112.92" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\tcpip\parameters\interfaces\{BEDFF4BB-4FFF-4DE2-81BB-3862294B9C39}
"DhcpNameServer"="85.255.114.54,85.255.112.92" <Value cleared.

De DNS-omzettingscache is leeggemaakt.

PC crashed or was not allowed to reboot.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
D:\WINDOWS\Temp\kdrvo.ren 76288 08/04/2003

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RemoteControl"="\"D:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="D:\\Program Files\\Ahead\\InCD\\InCD.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"WinampAgent"="\"D:\\Program Files\\Winamp\\winampa.exe\""
"SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"WMedia32"="wmedia32.exe"
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\ctfmon.exe"
"Vbuzzer Messenger"="D:\\Program Files\\vbuzzer\\VBuzzer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

En tot de laatste hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56, on 2008-01-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\System32\wmedia32.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\mmall.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\vbuzzer\VBuzzer.exe
D:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\mmoc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
G:\1 OA\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - D:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
F3 - REG:win.ini: run=D:\WINDOWS\mmall.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - D:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - D:\WINDOWS\System32\yatool.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: (no name) - {BDFDF7D4-AA39-4385-9A58-ACBB9D3E4BE1} - D:\WINDOWS\System32\compatU.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - D:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - D:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft all] D:\WINDOWS\mmall.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vbuzzer Messenger] D:\Program Files\vbuzzer\VBuzzer.exe
O4 - HKCU\..\Run: [Microsoft all] D:\WINDOWS\mmall.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Vbuzzer RSS list - D:\Program Files\vbuzzer\addurl.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E55E6F9A-4485-42E9-9E2F-A79874A91801}: NameServer = 85.255.114.54,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft I Service - Unknown owner - D:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7919 bytes

Hopelijk ben je hier iets mee :D

Rosty

29 January 2008, 21:35

Hoi,

uw logje van Combofix is niet volledig!!!

Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

File::
D:\WINDOWS\system32\dfsj2364.exe
D:\WINDOWS\mmall.exe
D:\WINDOWS\system32\dfsj2363.exe
D:\WINDOWS\system32\soepweor.tmp
D:\WINDOWS\mmoc.exe
D:\WINDOWS\mm_tmpoc.exe
D:\WINDOWS\system32\dfsj2351.exe
D:\WINDOWS\system32\oleauth32.dll
D:\WINDOWS\system32\dfsj2331.exe
D:\WINDOWS\system32\wmedia32.exe
D:\WINDOWS\system32\dfsj2323.exe
D:\WINDOWS\system32\dfsj2313.exe
D:\WINDOWS\system32\dfsj2319.exe
D:\WINDOWS\system32\drivers\hnkmwhuw.dat
D:\WINDOWS\system32\dfsj2295.exe
D:\WINDOWS\system32\csrssw.dll
D:\WINDOWS\system32\dfsj2228.exe
D:\WINDOWS\system32\J8dj3jg.dll
D:\WINDOWS\system32\Hfkr4g.dll
D:\WINDOWS\system32\dfsj2298.exe

Sla dit op op je Bureaublad als CFScript .

Sleep CFScript in ComboFix.exe zoals getoond in onderstaand voorbeeld :

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.

29 January 2008, 22:10

Zou dit moeten zijn dan :

ComboFix 08-01-29.3 - pieterded 2008-01-29 20:58:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.99 [GMT 1:00]
Gestart vanuit: D:\Documents and Settings\pieterded\Bureaublad\ComboFix.exe
Command switches used :: D:\Documents and Settings\pieterded\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
D:\WINDOWS\mm_tmpoc.exe
D:\WINDOWS\mmall.exe
D:\WINDOWS\mmoc.exe
D:\WINDOWS\system32\csrssw.dll
D:\WINDOWS\system32\dfsj2228.exe
D:\WINDOWS\system32\dfsj2295.exe
D:\WINDOWS\system32\dfsj2298.exe
D:\WINDOWS\system32\dfsj2313.exe
D:\WINDOWS\system32\dfsj2319.exe
D:\WINDOWS\system32\dfsj2323.exe
D:\WINDOWS\system32\dfsj2331.exe
D:\WINDOWS\system32\dfsj2351.exe
D:\WINDOWS\system32\dfsj2363.exe
D:\WINDOWS\system32\dfsj2364.exe
D:\WINDOWS\system32\drivers\hnkmwhuw.dat
D:\WINDOWS\system32\Hfkr4g.dll
D:\WINDOWS\system32\J8dj3jg.dll
D:\WINDOWS\system32\oleauth32.dll
D:\WINDOWS\system32\soepweor.tmp
D:\WINDOWS\system32\wmedia32.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\drivers\hnkmwhuw.dat
D:\WINDOWS\mm_tmpoc.exe
D:\WINDOWS\mmall.exe
D:\WINDOWS\mmoc.exe
D:\WINDOWS\system32\csrssw.dll
D:\WINDOWS\system32\dfsj2228.exe
D:\WINDOWS\system32\dfsj2295.exe
D:\WINDOWS\system32\dfsj2298.exe
D:\WINDOWS\system32\dfsj2313.exe
D:\WINDOWS\system32\dfsj2319.exe
D:\WINDOWS\system32\dfsj2323.exe
D:\WINDOWS\system32\dfsj2331.exe
D:\WINDOWS\system32\dfsj2351.exe
D:\WINDOWS\system32\dfsj2363.exe
D:\WINDOWS\system32\dfsj2364.exe
D:\WINDOWS\system32\drivers\hnkmwhuw.dat
D:\WINDOWS\system32\drivers\smtpdrv.sys
D:\WINDOWS\system32\Hfkr4g.dll
D:\WINDOWS\system32\J8dj3jg.dll
D:\WINDOWS\system32\oleauth32.dll
D:\WINDOWS\system32\soepweor.tmp
D:\WINDOWS\system32\wmedia32.exe
.
---- Previous Run -------
.
D:\WINDOWS\system32\drivers\symavc32.sys
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Program Files\Helper
D:\Program Files\Helper\superdirectsearch.dll
D:\WINDOWS\system32\0x57.exe
D:\WINDOWS\system32\3_exception.nls
D:\WINDOWS\system32\DefLib.sys
D:\WINDOWS\system32\drivers\NdisWon.sys
D:\WINDOWS\system32\drivers\NWE45.sys
D:\WINDOWS\system32\drivers\smtpdrv.sys
D:\WINDOWS\system32\drivers\win32.exe
D:\WINDOWS\system32\kr_done1
D:\WINDOWS\system32\mt_32.dll
D:\WINDOWS\system32\winload.dll
D:\WINDOWS\Temp\43621875.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\LEGACY_NDISWON
-------\LEGACY_NWE45
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\General Socket Service
-------\smtpdrv

-------\smtpdrv

(((((((((((((((((((( Bestanden Gemaakt van 2007-12-28 to 2008-01-29 ))))))))))))))))))))))))))))))
.

2008-01-29 17:45 . 2008-01-29 17:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-29 16:35 . 2008-01-29 16:35 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\Grisoft
2008-01-29 15:41 . 2008-01-29 16:15 519,680 --a------ D:\WINDOWS\system32\winlogon.exe
2008-01-29 14:06 . 2008-01-29 18:13 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\AVG7
2008-01-29 14:06 . 2008-01-29 14:06 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-29 14:06 . 2008-01-29 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg7
2008-01-29 14:05 . 2008-01-29 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 14:05 . 2007-05-30 13:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-25 16:16 . 2008-01-29 20:51 4 --a------ D:\WINDOWS\c.pid
2008-01-25 15:18 . 2008-01-25 15:18 53,248 --------- D:\WINDOWS\system32\mstscex.dll
2008-01-25 15:18 . 2008-01-25 15:18 4,224 --a------ D:\WINDOWS\system32\drivers\kcp.sys
2008-01-24 05:29 . 2008-01-25 17:16 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-01-24 05:29 . 2008-01-24 05:29 1,409 --a------ D:\WINDOWS\QTFont.for
2008-01-24 01:07 . 2008-01-24 01:07 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2008-01-16 17:53 . 2008-01-29 21:01 25,984 --a------ D:\WINDOWS\system32\drivers\Dns20.sys
2008-01-15 17:47 . 2008-01-15 17:47 <DIR> d-------- D:\Program Files\Audacity
2008-01-15 17:45 . 2003-04-08 13:00 84,992 --a------ D:\WINDOWS\system32\compatU.dll
2008-01-15 16:11 . 2008-01-15 16:11 <DIR> dr------- D:\Documents and Settings\LocalService\Favorieten
2008-01-15 16:11 . 2008-01-15 16:11 35,840 --a------ D:\WINDOWS\twain_32.exe
2008-01-15 16:11 . 2001-08-17 21:53 7,296 --a------ D:\WINDOWS\system32\drivers\changer.sys
2008-01-15 16:11 . 2001-08-17 21:53 7,296 --a--c--- D:\WINDOWS\system32\dllcache\changer.sys
2008-01-15 16:11 . 2008-01-29 16:51 96 --a------ D:\WINDOWS\system32\svchost.t__
2008-01-15 16:09 . 2008-01-29 16:58 308 --a------ D:\WINDOWS\system32\svchost.tmp
2008-01-15 14:26 . 2008-01-15 14:26 <DIR> d-------- D:\Program Files\QuickTime
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Program Files\Apple Software Update
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-15 14:25 . 2008-01-15 14:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Apple
2008-01-14 19:05 . 2008-01-14 19:05 <DIR> d-------- D:\WINDOWS\Sun
2008-01-14 19:05 . 2008-01-14 19:05 <DIR> d-------- D:\Documents and Settings\pieterded\.jogl_ext
2008-01-11 10:50 . 2008-01-11 10:50 244 --ah----- D:\sqmnoopt00.sqm
2008-01-11 10:50 . 2008-01-11 10:50 232 --ah----- D:\sqmdata00.sqm
2008-01-09 16:09 . 2008-01-09 16:10 <DIR> d-------- D:\Program Files\Allok 3GP PSP MP4 iPod Video Converter
2008-01-09 16:09 . 2002-10-05 07:04 921,600 --a------ D:\WINDOWS\system32\vorbisenc.dll
2008-01-09 16:09 . 2004-01-11 08:02 258,048 --a------ D:\WINDOWS\system32\GplMpgDec.ax
2008-01-09 16:09 . 2002-10-07 02:42 237,568 --a------ D:\WINDOWS\system32\OggDS.dll
2008-01-09 16:09 . 2002-10-05 07:04 188,416 --a------ D:\WINDOWS\system32\vorbis.dll
2008-01-09 16:09 . 2007-04-12 14:19 129,024 --a------ D:\WINDOWS\system32\AVERM.dll
2008-01-09 16:09 . 2002-10-05 07:04 45,056 --a------ D:\WINDOWS\system32\ogg.dll
2008-01-09 16:09 . 2006-09-26 13:57 28,672 --a------ D:\WINDOWS\system32\AVEQT.dll
2008-01-09 11:06 . 2008-01-09 11:06 <DIR> d-------- D:\Program Files\MorpheusBar
2008-01-08 18:41 . 2008-01-08 18:41 <DIR> d-------- D:\Program Files\Soldier of Fortune II - Double Helix
2008-01-08 15:12 . 2008-01-08 15:12 <DIR> d-------- D:\Program Files\Astro Gemini Software
2008-01-08 15:12 . 2008-01-08 15:12 <DIR> d-------- D:\Documents and Settings\pieterded\Application Data\Astro Gemini Software
2008-01-08 15:12 . 2007-12-12 16:34 22,495,232 --a------ D:\WINDOWS\system32\Winter Night 3D Screensaver.scr
2008-01-08 15:12 . 2007-11-06 17:46 106,496 --a------ D:\WINDOWS\system32\Astro Gemini Screensaver Manager.scr

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-29 04:23 --------- d-----w D:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-28 23:21 --------- d-----w D:\Documents and Settings\pieterded\Application Data\Skype
2008-01-28 23:08 --------- d-----w D:\Documents and Settings\pieterded\Application Data\skypePM
2008-01-17 07:57 --------- d-----w D:\Documents and Settings\pieterded\Application Data\LimeWire
2008-01-09 15:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\WinZip
2008-01-09 10:06 --------- d-----w D:\Program Files\Morpheus
2007-12-24 09:24 --------- d-----w D:\Program Files\7-Zip
2007-12-13 00:17 --------- d-----w D:\Documents and Settings\pieterded\Application Data\Morpheus
2007-12-12 00:16 --------- d-----w D:\Program Files\LimeWire
2007-12-12 00:15 --------- d-----w D:\Program Files\Java
2007-12-12 00:14 --------- d-----w D:\Program Files\Common Files\Java
2007-12-11 22:18 32 ----a-w D:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-11 22:17 --------- d-----w D:\Program Files\Skype
2007-12-11 22:17 --------- d-----w D:\Program Files\Common Files\Skype
2007-12-11 22:17 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
2007-12-08 01:02 9,728 ----a-w D:\WINDOWS\system32\dhcpserv.dll
2007-12-08 01:02 8,192 ----a-w D:\WINDOWS\system32\regapi32.dll
2007-12-08 01:02 8,192 ----a-w D:\WINDOWS\system32\dcphnet.dll
2007-12-08 01:02 5,632 ----a-w D:\WINDOWS\system32\ftpsystem.dll
2007-12-08 01:02 5,120 ----a-w D:\WINDOWS\system32\netd.dll
2007-12-08 01:02 3,072 ----a-w D:\WINDOWS\system32\pxcrt.dll
2007-12-08 01:02 3,072 ----a-w D:\WINDOWS\system32\kbdsdf.dll
2007-12-08 01:01 9,216 ----a-w D:\WINDOWS\system32\rcpdu.dll
2007-12-08 01:01 8,192 ----a-w D:\WINDOWS\system32\iphelp.dll
2007-12-08 01:01 7,168 ----a-w D:\WINDOWS\system32\protect.dll
2007-12-08 01:01 5,120 ----a-w D:\WINDOWS\system32\rsh.dll
2007-12-08 01:01 4,608 ----a-w D:\WINDOWS\system32\psx.dll
2007-12-08 01:01 4,608 ----a-w D:\WINDOWS\system32\credigui.dll
2007-12-08 01:01 4,096 ----a-w D:\WINDOWS\system32\mscert.dll
2007-12-04 22:11 --------- d-----w D:\Documents and Settings\pieterded\Application Data\Winamp
2007-12-04 21:49 --------- d-----w D:\Program Files\Common Files\NSV
2007-12-04 21:48 --------- d-----w D:\Program Files\Winamp
2007-11-18 21:06 1,392,671 ----a-w D:\WINDOWS\system32\msvbvm60.dll
2005-03-31 21:17 40,960 ----a-w D:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54C7D1DD-4296-451e-B756-1E94F665B4FF}]
D:\WINDOWS\System32\yatool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDFDF7D4-AA39-4385-9A58-ACBB9D3E4BE1}]
2003-04-08 13:00 84992 --a------ D:\WINDOWS\System32\compatU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\ctfmon.exe" [2003-04-08 13:00 13312]
"Vbuzzer Messenger"="D:\Program Files\vbuzzer\VBuzzer.exe" [2007-04-13 23:39 5980160]
"Microsoft all"="D:\WINDOWS\mmall.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RemoteControl"="D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"InCD"="D:\Program Files\Ahead\InCD\InCD.exe" [2005-06-10 15:20 1397760]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="D:\WINDOWS\System32\NvCpl.dll" [2004-09-30 06:35 4603904]
"nwiz"="nwiz.exe" [2004-09-30 06:35 921600 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\System32\NvMcTray.dll" [2004-09-30 06:35 86016]
"SoundMAXPnP"="D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-09-20 15:50 1404928]
"SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:28 708608]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"WMedia32"="wmedia32.exe" []
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 17:01 579072]
"Microsoft all"="D:\WINDOWS\mmall.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2003-04-08 13:00 13312]
"Microsoft all"="D:\WINDOWS\mmall.exe" [ ]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 16:59 219136]

D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Google Updater.lnk - D:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-23 00:24:09 126136]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Dns20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\General Socket Service]
@="Service"

R0 Dns20;Dns20;D:\WINDOWS\System32\Drivers\Dns20.sys [2008-01-29 21:01]
R1 kcp;kcp;D:\WINDOWS\system32\drivers\kcp.sys [2008-01-25 15:18]
S0 abpxsxrm;abpxsxrm;D:\WINDOWS\System32\drivers\hnkm whuw.dat []
S2 Microsoft I Service;Microsoft I Service;D:\WINDOWS\System32\_svchost.exe []
S3 CTSFSYN;Creative SoundFont Synth;D:\WINDOWS\System32\drivers\ctsfsyn.sys [2004-08-24 09:03]

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 21:02:31
Windows 5.1.2600 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\System32\mstscex.dll

PROCESS: D:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> D:\Program Files\WinRAR\rarext.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\snmp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\vbuzzer\VBuzzer.exe
D:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\System32\wdfmgr.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-01-29 21:03:56 - machine was rebooted [pieterded]
ComboFix-quarantined-files.txt 2008-01-29 20:03:54

Rosty

29 January 2008, 22:26

Hoi,

open HijackThis, klik op do a scan only en vink volgende regels aan:

F3 - REG:win.ini: run=D:\WINDOWS\mmall.exe
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKCU\..\Run: [Microsoft all] D:\WINDOWS\mmall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E55E6F9A-4485-42E9-9E2F-A79874A91801}: NameServer = 85.255.114.54,85.255.112.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.54 85.255.112.92

Sluit alle open vensters, behalve HijackThis, en klik op Fix Checked. Sluit HijackThis.

* Leeg de Cache and Cookies in IE: Sluit Internet Explorer.
Ga naar Configuratiescherm > Internet Opties > tab Algemeen
Klik de Cookies verwijderen knop
Klik op de Bestanden verwijderen knop ernaast
Vink aan: Ook alle off line items verwijderen, klik OK* Leeg de Cache and Cookies in Firefox (In geval Firefox geïnstalleerd is): Ga naar Extra > Opties.
Klik Privacy in het menu.
Klik op de knop Wissen (Geschiedenis, Cookies, Cache).
Klik OK om het venster opnieuw te sluiten. * Leeg andere Temporary files + Prullenbak Ga naar Start > Uitvoeren en typ: cleanmgr en klik ok.
Laat het je systeem scannen op bestanden die moeten verwijderd worden
Zorg er wel voor dat je daar enkel maar 'tijdelijke bestanden', 'tijdelijke internetbestanden'en 'prullenbak'staan aangevinkt.
Klik daarna op OK.
* Defragmenteer de harde schijf eens
Dit raad ik je aan om in veilige modus (http://users.pandora.be/marcvn/spyware/1378056.htm) te doen. Indien je opstart in veilige modus is handig dat je al het onderstaande opslaat en/of uit print omdat je de verdere instructies niet kunt terug vinden in veilige modus:
Ga naar Start -- Uitvoeren
Typ in: dfrg.msc en druk op Ok.
Druk nu op 'Defragmenteren'.
Als dit klaar is kan je de PC weer herstarten. Post een nieuw HijackThis logje.

30 January 2008, 19:30

hey rosty ik moest gisteren onverwacht weg waardoor ik niet meer heb verder kunnen doen met het logje enz. Nu met grotere problemen tot gevolg , pc had ik laten aanstaan en die is blijkbaar uit zichzelf terug opgestart en beland op dat blauw scherm ( waar ik de eerste post over sprak) met de foutmelding :

stop c000210
windows logon process onverwacht afgebroken
status 0x0000034 ( 0x00000000 0x00000000)
systeem afgebroken.

Ik Wil de pc heropstarten en terug zetten naar de configuratie van de vorige juiste instellingen maar het lukt niet meer , terug deze foutmelding. Ik Besluit in veilige modus op te starten en zelfs dit werkt ook niet meer.

Dus opstarten lukt gewoon niet meer. hij start op tot aan het windows xp logo ( waar dat lopertje onderstaat ) en herstart zich nadien met de foutmelding.... steeds hetzelfde :eek:.

Dus niets is meer mogelijk.

Enige idee hoe ik hier uit kan geraken?
( en mmm idd zou windows cd rom kunnen gebruiken heb die niet direct ter beschikking ).

groeten

Rosty

31 January 2008, 17:33