dogegg
8 March 2008, 21:02
Een week geleden heb ik iets op mijn computer gekregen, wat nogal wat problemen veroorzaakte: pop-up meldingen over virus infecties, trage pc, geen toegang meer tot configuratie scherm, geen rechten meer als systeembeheerder, etc.
Met behulp van diverse programma's (Spybot, Spyware Doctor, Spysweeper, Ad-aware, AVG, McAfee, CCleaner, Rvaxo, Combofix) heb ik inmiddels de meeste ellende kunnen verwijderen.
Het bestand WLCtrl32.dll raak ik echter maar niet kwijt; ik kan met Combofix het bestand en de verwijzing in het register verwijderen, maar na het opnieuw opstarten van de computer is hij er weer:
C:\WINDOWS\system32\WLCtrl32.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
Graag ontvang ik enige hulp bij het definitief verwijderen van dit bestand en van eventuele andere ellende die dit ding steeds weer terug zet.
Hierbij mijn Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:55, on 8-3-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Network Associates\VirusScan\VsTskMgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Agnitum\Outpost Firewall\outpost.exe
G:\WINDOWS\System32\PnkBstrA.exe
G:\WINDOWS\System32\UAService7.exe
E:\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\explorer.exe
E:\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - E:\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - G:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - G:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - E:\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PACSPTISVR - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - G:\WINDOWS\System32\UAService7.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5551 bytes
En de Combofix log:
ComboFix 08-03-06.4 - Gerben 2008-03-08 17:57:24.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1043.18.204 [GMT 1:00]
Gestart vanuit: G:\Documents and Settings\Gerben\Bureaublad\ComboFix.exe
Command switches used :: G:\Documents and Settings\Gerben\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
FILE ::
G:\WINDOWS\system32\WLCtrl32.dll
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\WINDOWS\system32\WLCtrl32.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))
.
2008-03-08 17:50 . 2008-03-08 17:56 <DIR> dr-h----- G:\Documents and Settings\Gerben\Onlangs geopend
2008-03-07 18:12 . 2008-03-07 18:12 1,766 --a------ G:\WINDOWS\system32\tmp.reg
2008-03-07 17:12 . 2008-02-21 11:42 943 --a------ G:\WINDOWS\system32\RVAXO-uninstaller.bat
2008-03-07 15:32 . 2008-02-29 14:06 714,053 --a------ G:\WINDOWS\system32\RVAXO.bat
2008-03-07 15:32 . 2001-10-01 14:51 69,632 --a------ G:\WINDOWS\system32\remove.exe
2008-03-07 15:32 . 2007-07-04 20:32 16,384 --a------ G:\WINDOWS\system32\Restart.exe
2008-03-01 18:50 . 2008-03-08 18:00 49 --a------ G:\WINDOWS\transp.gif
2008-02-29 19:14 . 2005-03-18 22:29 <DIR> d--h----- G:\Documents and Settings\Administrator\Sjablonen
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d--h----- G:\Documents and Settings\Administrator\Onlangs geopend
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d--h----- G:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Mijn documenten
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> dr------- G:\Documents and Settings\Administrator\Menu Start
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Favorieten
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Bureaublad
2008-02-29 18:58 . 2008-02-29 18:58 <DIR> d-------- G:\Program Files\Common Files\Agnitum Shared
2008-02-29 17:25 . 2008-03-03 23:00 <DIR> d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 17:25 . 2007-12-10 14:53 81,288 --a------ G:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-29 17:25 . 2007-12-10 14:53 66,952 --a------ G:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-29 17:25 . 2007-12-10 14:53 41,864 --a------ G:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-29 17:25 . 2007-12-10 14:53 29,576 --a------ G:\WINDOWS\system32\drivers\kcom.sys
2008-02-29 14:33 . 2008-02-29 14:33 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Webroot
2008-02-29 14:33 . 2008-02-29 14:33 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Webroot
2008-02-29 14:33 . 2008-01-04 20:56 1,526,640 --a------ G:\WINDOWS\WRSetup.dll
2008-02-29 14:33 . 2008-01-04 20:34 163,696 --a------ G:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-29 14:33 . 2008-01-04 20:34 23,920 --a------ G:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-29 14:33 . 2008-01-04 20:34 21,872 --a------ G:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-29 14:33 . 2008-01-04 20:34 20,336 --a------ G:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-29 14:17 . 2008-02-29 14:17 51,968 --a------ G:\WINDOWS\system32\drivers\nkv2.sys
2008-02-29 11:30 . 2008-02-29 11:30 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Malwarebytes
2008-02-29 11:23 . 2008-02-29 11:23 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 11:22 . 2008-02-29 11:22 <DIR> d-------- G:\Program Files\Common Files\Download Manager
2008-02-28 19:42 . 2008-02-28 19:42 18,989 --a------ G:\WINDOWS\iquc.ban
2008-02-28 19:42 . 2008-02-28 19:42 17,953 --a------ G:\WINDOWS\system32\obepygu.ban
2008-02-28 19:42 . 2008-02-28 19:42 15,896 --a------ G:\WINDOWS\ririx.dl
2008-02-28 19:42 . 2008-02-28 19:42 12,565 --a------ G:\WINDOWS\gero.lib
2008-02-28 19:42 . 2008-02-28 19:42 11,589 --a------ G:\WINDOWS\system32\cefizocoxy._sy
2008-02-28 19:22 . 2008-03-01 19:07 26,240 --a------ G:\WINDOWS\system32\drivers\Yiu73.sys
2008-02-28 19:22 . 2008-02-28 19:22 15,594 --a------ G:\WINDOWS\system32\ypynaqy.lib
2008-02-28 19:22 . 2008-02-28 19:22 14,077 --a------ G:\Documents and Settings\Gerben\Application Data\limibav.bin
2008-02-28 19:22 . 2008-02-28 19:22 12,416 --a------ G:\WINDOWS\bihyfil.db
2008-02-21 21:46 . 2008-02-21 21:45 44,544 -r-hs---- G:\WINDOWS\system32\1198583265v.exe
2008-02-17 16:13 . 2008-02-17 16:13 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Sierra Entertainment
2008-02-15 17:07 . 2008-02-15 17:08 144 --ahs---- G:\WINDOWS\system32\1198583265.dat
2008-02-15 17:06 . 2008-02-15 17:05 45,568 -r-hs---- G:\WINDOWS\system32\6to4svci.exe
2008-02-15 17:06 . 2008-02-15 17:05 44,544 -r-hs---- G:\WINDOWS\system32\ALSNDMGRb.exe
2008-02-13 20:12 . 2008-02-13 20:12 16,896 --a------ G:\Documents and Settings\Gerben\winmuwe.exe
2008-02-10 20:59 . 2008-02-14 20:23 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Firefly Studios
2008-02-08 19:54 . 2008-02-21 21:45 179,200 --a------ G:\WINDOWS\svx.exe
2008-02-08 19:54 . 2008-02-21 21:45 179,200 --a------ G:\WINDOWS\svw.exe
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-01 18:45 --------- d-----w G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 18:42 15,308 ----a-w G:\Program Files\Common Files\towiby.db
2008-02-28 14:38 --------- d-----w G:\Documents and Settings\Gerben\Application Data\Azureus
2008-02-22 22:16 --------- d--h--w G:\Program Files\InstallShield Installation Information
2008-02-17 15:31 --------- d-----w G:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 18:03 --------- d-----w G:\Documents and Settings\Gerben\Application Data\ATI
2008-02-01 18:03 --------- d-----w G:\Documents and Settings\All Users\Application Data\ATI
2008-02-01 17:58 --------- d-----w G:\Program Files\ATI Technologies
2008-01-22 13:49 --------- d-----w G:\Documents and Settings\Gerben\Application Data\My Battle for Middle-earth Files
2008-01-05 22:53 10,219,835 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_23_49_39.dmp.zip
2008-01-05 22:07 10,400,398 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_50_41.dmp.zip
2008-01-05 22:07 10,231,189 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_52_34.dmp.zip
2008-01-05 20:50 10,229,067 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_44_00.dmp.zip
2008-01-05 20:43 10,246,845 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_36_18.dmp.zip
2008-01-05 20:42 10,412,021 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_34_58.dmp.zip
2008-01-05 20:42 10,246,467 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_36_16.dmp.zip
2008-01-05 20:34 10,396,982 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_29_40.dmp.zip
2008-01-05 20:34 10,244,644 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_32_07.dmp.zip
2008-01-05 20:34 10,231,167 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_31_12.dmp.zip
2006-05-22 17:08 1 -c--a-w G:\Documents and Settings\Gerben\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 14:08 13312]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKLM\~\startupfolder\G:^Documents and Settings^Gerben^Menu Start^Programma's^Opstarten^SpywareBlaster.lnk]
backup=G:\WINDOWS\pss\SpywareBlaster.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
--a------ 2002-09-09 14:08 91136 G:\Program Files\Internet Explorer\iexplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-02-26 12:00 139347 G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2003-04-14 19:30 1491216 G:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2003-03-21 07:00 90182 E:\Network Associates\VirusScan\SHSTAT.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-08-15 08:34 57344 G:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 E:\Webroot\Spy Sweeper\SpySweeperUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-01-07 02:36 81920 D:\muziek\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-05 21:26 68856 G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"OutpostFirewall"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);G:\WINDOWS\System32\drivers\sfsync03.sys [2005-12-06 16:11]
R0 Yiu73;Yiu73;G:\WINDOWS\System32\Drivers\Yiu73.sys [2008-03-01 19:07]
R1 SandBox;Outpost Firewall Sandbox Driver;E:\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [2006-10-26 17:27]
R1 VFILT;Outpost Firewall Kernel Driver;E:\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [2006-10-20 14:48]
R2 ithsgt;ithsgt;G:\WINDOWS\System32\DRIVERS\ithsgt.s ys [2006-04-22 19:07]
R2 lilsgt;lilsgt;G:\WINDOWS\System32\DRIVERS\lilsgt.s ys [2006-04-22 19:07]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);E:\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [2006-10-20 14:49]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);E:\Agnitum\Outpost Firewall\kernel\ARP.DLL [2006-10-20 14:49]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);E:\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [2006-10-20 14:49]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);E:\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [2006-10-20 14:49]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [2006-10-20 14:49]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [2006-10-20 14:49]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [2006-10-20 14:49]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [2006-10-20 14:49]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [2006-10-20 14:49]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [2006-10-20 14:49]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);E:\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [2006-10-20 14:49]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);E:\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [2006-10-20 14:49]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);E:\Agnitum\Outpost Firewall\kernel\SECRET.DLL [2006-10-20 14:49]
S3 AONMDI;AONMDI;G:\WINDOWS\System32\AONMDI.SYS [2003-03-11 19:15]
S3 USB2_04;USB2_04 driver;G:\WINDOWS\System32\drivers\nkv2.sys [2008-02-29 14:17]
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 18:04:01
Windows 5.1.2600 Service Pack 1 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
PROCESS: G:\WINDOWS\system32\winlogon.exe
-> G:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Network Associates\VirusScan\VsTskMgr.exe
G:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Agnitum\Outpost Firewall\outpost.exe
G:\WINDOWS\System32\PnkBstrA.exe
G:\WINDOWS\System32\wdfmgr.exe
G:\WINDOWS\System32\UAService7.exe
E:\Webroot\Spy Sweeper\SpySweeper.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-03-08 18:05:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 17:05:39
ComboFix2.txt 2008-03-08 15:27:01
ComboFix3.txt 2008-03-08 15:22:45
ComboFix4.txt 2008-03-08 13:25:14
ComboFix5.txt 2008-03-08 12:54:58
Met behulp van diverse programma's (Spybot, Spyware Doctor, Spysweeper, Ad-aware, AVG, McAfee, CCleaner, Rvaxo, Combofix) heb ik inmiddels de meeste ellende kunnen verwijderen.
Het bestand WLCtrl32.dll raak ik echter maar niet kwijt; ik kan met Combofix het bestand en de verwijzing in het register verwijderen, maar na het opnieuw opstarten van de computer is hij er weer:
C:\WINDOWS\system32\WLCtrl32.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
Graag ontvang ik enige hulp bij het definitief verwijderen van dit bestand en van eventuele andere ellende die dit ding steeds weer terug zet.
Hierbij mijn Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:55, on 8-3-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Network Associates\VirusScan\VsTskMgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Agnitum\Outpost Firewall\outpost.exe
G:\WINDOWS\System32\PnkBstrA.exe
G:\WINDOWS\System32\UAService7.exe
E:\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\explorer.exe
E:\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - E:\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - G:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - G:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - E:\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PACSPTISVR - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - G:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - G:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - G:\WINDOWS\System32\UAService7.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5551 bytes
En de Combofix log:
ComboFix 08-03-06.4 - Gerben 2008-03-08 17:57:24.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1043.18.204 [GMT 1:00]
Gestart vanuit: G:\Documents and Settings\Gerben\Bureaublad\ComboFix.exe
Command switches used :: G:\Documents and Settings\Gerben\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
FILE ::
G:\WINDOWS\system32\WLCtrl32.dll
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\WINDOWS\system32\WLCtrl32.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))
.
2008-03-08 17:50 . 2008-03-08 17:56 <DIR> dr-h----- G:\Documents and Settings\Gerben\Onlangs geopend
2008-03-07 18:12 . 2008-03-07 18:12 1,766 --a------ G:\WINDOWS\system32\tmp.reg
2008-03-07 17:12 . 2008-02-21 11:42 943 --a------ G:\WINDOWS\system32\RVAXO-uninstaller.bat
2008-03-07 15:32 . 2008-02-29 14:06 714,053 --a------ G:\WINDOWS\system32\RVAXO.bat
2008-03-07 15:32 . 2001-10-01 14:51 69,632 --a------ G:\WINDOWS\system32\remove.exe
2008-03-07 15:32 . 2007-07-04 20:32 16,384 --a------ G:\WINDOWS\system32\Restart.exe
2008-03-01 18:50 . 2008-03-08 18:00 49 --a------ G:\WINDOWS\transp.gif
2008-02-29 19:14 . 2005-03-18 22:29 <DIR> d--h----- G:\Documents and Settings\Administrator\Sjablonen
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d--h----- G:\Documents and Settings\Administrator\Onlangs geopend
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d--h----- G:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Mijn documenten
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> dr------- G:\Documents and Settings\Administrator\Menu Start
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Favorieten
2008-02-29 19:14 . 2005-03-18 23:22 <DIR> d-------- G:\Documents and Settings\Administrator\Bureaublad
2008-02-29 18:58 . 2008-02-29 18:58 <DIR> d-------- G:\Program Files\Common Files\Agnitum Shared
2008-02-29 17:25 . 2008-03-03 23:00 <DIR> d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 17:25 . 2007-12-10 14:53 81,288 --a------ G:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-29 17:25 . 2007-12-10 14:53 66,952 --a------ G:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-29 17:25 . 2007-12-10 14:53 41,864 --a------ G:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-29 17:25 . 2007-12-10 14:53 29,576 --a------ G:\WINDOWS\system32\drivers\kcom.sys
2008-02-29 14:33 . 2008-02-29 14:33 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Webroot
2008-02-29 14:33 . 2008-02-29 14:33 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Webroot
2008-02-29 14:33 . 2008-01-04 20:56 1,526,640 --a------ G:\WINDOWS\WRSetup.dll
2008-02-29 14:33 . 2008-01-04 20:34 163,696 --a------ G:\WINDOWS\system32\drivers\ssidrv.sys
2008-02-29 14:33 . 2008-01-04 20:34 23,920 --a------ G:\WINDOWS\system32\drivers\sskbfd.sys
2008-02-29 14:33 . 2008-01-04 20:34 21,872 --a------ G:\WINDOWS\system32\drivers\sshrmd.sys
2008-02-29 14:33 . 2008-01-04 20:34 20,336 --a------ G:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-02-29 14:17 . 2008-02-29 14:17 51,968 --a------ G:\WINDOWS\system32\drivers\nkv2.sys
2008-02-29 11:30 . 2008-02-29 11:30 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Malwarebytes
2008-02-29 11:23 . 2008-02-29 11:23 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-29 11:22 . 2008-02-29 11:22 <DIR> d-------- G:\Program Files\Common Files\Download Manager
2008-02-28 19:42 . 2008-02-28 19:42 18,989 --a------ G:\WINDOWS\iquc.ban
2008-02-28 19:42 . 2008-02-28 19:42 17,953 --a------ G:\WINDOWS\system32\obepygu.ban
2008-02-28 19:42 . 2008-02-28 19:42 15,896 --a------ G:\WINDOWS\ririx.dl
2008-02-28 19:42 . 2008-02-28 19:42 12,565 --a------ G:\WINDOWS\gero.lib
2008-02-28 19:42 . 2008-02-28 19:42 11,589 --a------ G:\WINDOWS\system32\cefizocoxy._sy
2008-02-28 19:22 . 2008-03-01 19:07 26,240 --a------ G:\WINDOWS\system32\drivers\Yiu73.sys
2008-02-28 19:22 . 2008-02-28 19:22 15,594 --a------ G:\WINDOWS\system32\ypynaqy.lib
2008-02-28 19:22 . 2008-02-28 19:22 14,077 --a------ G:\Documents and Settings\Gerben\Application Data\limibav.bin
2008-02-28 19:22 . 2008-02-28 19:22 12,416 --a------ G:\WINDOWS\bihyfil.db
2008-02-21 21:46 . 2008-02-21 21:45 44,544 -r-hs---- G:\WINDOWS\system32\1198583265v.exe
2008-02-17 16:13 . 2008-02-17 16:13 <DIR> d-------- G:\Documents and Settings\Gerben\Application Data\Sierra Entertainment
2008-02-15 17:07 . 2008-02-15 17:08 144 --ahs---- G:\WINDOWS\system32\1198583265.dat
2008-02-15 17:06 . 2008-02-15 17:05 45,568 -r-hs---- G:\WINDOWS\system32\6to4svci.exe
2008-02-15 17:06 . 2008-02-15 17:05 44,544 -r-hs---- G:\WINDOWS\system32\ALSNDMGRb.exe
2008-02-13 20:12 . 2008-02-13 20:12 16,896 --a------ G:\Documents and Settings\Gerben\winmuwe.exe
2008-02-10 20:59 . 2008-02-14 20:23 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Firefly Studios
2008-02-08 19:54 . 2008-02-21 21:45 179,200 --a------ G:\WINDOWS\svx.exe
2008-02-08 19:54 . 2008-02-21 21:45 179,200 --a------ G:\WINDOWS\svw.exe
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-01 18:45 --------- d-----w G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 18:42 15,308 ----a-w G:\Program Files\Common Files\towiby.db
2008-02-28 14:38 --------- d-----w G:\Documents and Settings\Gerben\Application Data\Azureus
2008-02-22 22:16 --------- d--h--w G:\Program Files\InstallShield Installation Information
2008-02-17 15:31 --------- d-----w G:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 18:03 --------- d-----w G:\Documents and Settings\Gerben\Application Data\ATI
2008-02-01 18:03 --------- d-----w G:\Documents and Settings\All Users\Application Data\ATI
2008-02-01 17:58 --------- d-----w G:\Program Files\ATI Technologies
2008-01-22 13:49 --------- d-----w G:\Documents and Settings\Gerben\Application Data\My Battle for Middle-earth Files
2008-01-05 22:53 10,219,835 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_23_49_39.dmp.zip
2008-01-05 22:07 10,400,398 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_50_41.dmp.zip
2008-01-05 22:07 10,231,189 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_52_34.dmp.zip
2008-01-05 20:50 10,229,067 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_44_00.dmp.zip
2008-01-05 20:43 10,246,845 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_36_18.dmp.zip
2008-01-05 20:42 10,412,021 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_34_58.dmp.zip
2008-01-05 20:42 10,246,467 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_36_16.dmp.zip
2008-01-05 20:34 10,396,982 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_29_40.dmp.zip
2008-01-05 20:34 10,244,644 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_32_07.dmp.zip
2008-01-05 20:34 10,231,167 ----a-w G:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_05_21_31_12.dmp.zip
2006-05-22 17:08 1 -c--a-w G:\Documents and Settings\Gerben\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\System32\CTFMON.EXE" [2002-09-09 14:08 13312]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKLM\~\startupfolder\G:^Documents and Settings^Gerben^Menu Start^Programma's^Opstarten^SpywareBlaster.lnk]
backup=G:\WINDOWS\pss\SpywareBlaster.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
--a------ 2002-09-09 14:08 91136 G:\Program Files\Internet Explorer\iexplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2003-02-26 12:00 139347 G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2003-04-14 19:30 1491216 G:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2003-03-21 07:00 90182 E:\Network Associates\VirusScan\SHSTAT.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-08-15 08:34 57344 G:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 E:\Webroot\Spy Sweeper\SpySweeperUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2006-01-07 02:36 81920 D:\muziek\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-05 21:26 68856 G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"OutpostFirewall"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);G:\WINDOWS\System32\drivers\sfsync03.sys [2005-12-06 16:11]
R0 Yiu73;Yiu73;G:\WINDOWS\System32\Drivers\Yiu73.sys [2008-03-01 19:07]
R1 SandBox;Outpost Firewall Sandbox Driver;E:\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [2006-10-26 17:27]
R1 VFILT;Outpost Firewall Kernel Driver;E:\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [2006-10-20 14:48]
R2 ithsgt;ithsgt;G:\WINDOWS\System32\DRIVERS\ithsgt.s ys [2006-04-22 19:07]
R2 lilsgt;lilsgt;G:\WINDOWS\System32\DRIVERS\lilsgt.s ys [2006-04-22 19:07]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);E:\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [2006-10-20 14:49]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);E:\Agnitum\Outpost Firewall\kernel\ARP.DLL [2006-10-20 14:49]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);E:\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [2006-10-20 14:49]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);E:\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [2006-10-20 14:49]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [2006-10-20 14:49]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [2006-10-20 14:49]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [2006-10-20 14:49]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [2006-10-20 14:49]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [2006-10-20 14:49]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);E:\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [2006-10-20 14:49]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);E:\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [2006-10-20 14:49]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);E:\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [2006-10-20 14:49]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);E:\Agnitum\Outpost Firewall\kernel\SECRET.DLL [2006-10-20 14:49]
S3 AONMDI;AONMDI;G:\WINDOWS\System32\AONMDI.SYS [2003-03-11 19:15]
S3 USB2_04;USB2_04 driver;G:\WINDOWS\System32\drivers\nkv2.sys [2008-02-29 14:17]
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 18:04:01
Windows 5.1.2600 Service Pack 1 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
PROCESS: G:\WINDOWS\system32\winlogon.exe
-> G:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
G:\WINDOWS\System32\Ati2evxx.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Network Associates\VirusScan\VsTskMgr.exe
G:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Agnitum\Outpost Firewall\outpost.exe
G:\WINDOWS\System32\PnkBstrA.exe
G:\WINDOWS\System32\wdfmgr.exe
G:\WINDOWS\System32\UAService7.exe
E:\Webroot\Spy Sweeper\SpySweeper.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-03-08 18:05:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 17:05:39
ComboFix2.txt 2008-03-08 15:27:01
ComboFix3.txt 2008-03-08 15:22:45
ComboFix4.txt 2008-03-08 13:25:14
ComboFix5.txt 2008-03-08 12:54:58