Volledige versie bekijken : 100%
Keno 5 December 2008, 17:16 Goedendag
De laatste week heb ik problemen met mijne laptop.
De CPU blijft soms bij 100% hangen ook als ik niets doe en dan is de enigste oplossing de laptop terug herstarten.
Willen jullie eens naar mijne logfile kijken en zeggen wa ik moet doen
Tis vooral bij explorer.exe en winlogon.exe da hij vastloopt
Hier mijne log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:53:53, on 5/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O2 - BHO: System - {D1C8F9CE-563E-11D8-813C-005022E14DE3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6675 bytes
Alvast bedankt
Koen
Rosty 5 December 2008, 18:37 Download MBAM (Malwarebytes' Anti-Malware) via hier (http://www.besttechie.net/tools/mbam-setup.exe) of hier (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html).
Dubbelklik op mbam-setup.exe om het programma te installeren.
Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".
Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.
Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.
Het scannen kan een tijdje duren, dus wees geduldig.
Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder)
De log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in MBAM.
Kopieer en plak de inhoud van het logje in je volgend antwoord, samen met een nieuw HijackThis log.
Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken.
Daarna zal het vragen om de Computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart.
Keno 8 December 2008, 23:05 oke heb da programma eens laten lopen en hij heeft er ook gevonden die hij niet kon verwijderen
Daarom heb ik het eens 2 keer laten komen. Zie hier mijn logs
Malwarebytes' Anti-Malware 1.31
Database versie: 1456
Windows 5.1.2600 Service Pack 1
8/12/2008 21:36:09
mbam-log-2008-12-08 (21-36-09).txt
Scan type: Snelle Scan
Objecten gescand: 57393
Verstreken tijd: 6 minute(s), 16 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 1
Registersleutels geïnfecteerd: 9
Registerwaarden geïnfecteerd: 4
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 4
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\whkonck.dll (Trojan.Vundo.H) -> Delete on reboot.
Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{377b8674-8b07-4731-929f-c388b0166c6a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vklcjrfi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{377b8674-8b07-4731-929f-c388b0166c6a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{bc7d59e2-08a5-49e1-a7ae-4d913330c6d1} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bc7d59e2-08a5-49e1-a7ae-4d913330c6d1} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b pjwpzni (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\b pjwpzni (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bpjwpzni (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\WinOpts (Trojan.Downloader) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
c:\WINDOWS\system32\whkonck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cnqdfmt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rpcc.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
2de keer
Malwarebytes' Anti-Malware 1.31
Database versie: 1456
Windows 5.1.2600 Service Pack 1
8/12/2008 21:47:53
mbam-log-2008-12-08 (21-47-53).txt
Scan type: Snelle Scan
Objecten gescand: 57276
Verstreken tijd: 6 minute(s), 50 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 5
Registerwaarden geïnfecteerd: 4
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 2
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{377b8674-8b07-4731-929f-c388b0166c6a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vklcjrfi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{377b8674-8b07-4731-929f-c388b0166c6a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{bc7d59e2-08a5-49e1-a7ae-4d913330c6d1} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bc7d59e2-08a5-49e1-a7ae-4d913330c6d1} (Trojan.BHO.H) -> Delete on reboot.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
c:\WINDOWS\system32\whkonck.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04:20, on 8/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O2 - BHO: System - {D1C8F9CE-563E-11D8-813C-005022E14DE3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6606 bytes
Bedankt
Groetjes
Rosty 9 December 2008, 19:33 Hoi,
open HijackThis, klik op do a scan only en vink volgende regels aan:
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O2 - BHO: System - {D1C8F9CE-563E-11D8-813C-005022E14DE3} - (no file)
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
Sluit alle open vensters, behalve Hijackthis, en klik op Fix Checked. Sluit HijackThis.
Herstart je PC, belangrijk, en post een nieuw HijackThis logje.
Keno 10 December 2008, 13:26 Hey
Ik heb het gedaan zoals gij het hebt gezegd maar die bestanden blijven er opstaan. Is da normaal?
logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:51, on 10/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6436 bytes
Bedankt
Rosty 10 December 2008, 19:38 Hoi,
* Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.
http://www.bleepingcomputer.com/combofix/n...ruikt-te-worden (http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden)
Voer dus de instructies op die pagina uit, dus inclusief het installeren van de XP Recovery Console.
(Indien je geen XP hebt, mag je deze stap ivm de Recovery Console overslaan)
Daarna post je de log van Combofix in je volgende post samen met een nieuw HijackThislog.
Keno 12 December 2008, 12:42 Hey
Hier is mijne log van combofix
ComboFix 08-12-11.04 - Koen 2008-12-12 11:24:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.286 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Koen\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Koen\Bureaublad\winxpsp1_nl_hom_bf.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-11-12 to 2008-12-12 ))))))))))))))))))))))))))))))
.
2008-12-10 13:39 . 2007-02-12 12:41 2,732,032 --a------ c:\windows\system32\Netw2r32.dll
2008-12-10 13:39 . 2007-07-25 17:44 2,210,048 --a------ c:\windows\system32\drivers\w29n51.sys
2008-12-10 13:39 . 2007-02-12 12:40 557,056 --a------ c:\windows\system32\Netw2c32.dll
2008-12-08 21:27 . 2008-12-08 21:27 <DIR> d-------- c:\documents and settings\Koen\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-08 21:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 21:26 . 2008-12-08 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 21:26 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 -ra------ c:\windows\system32\drivers\e100b325.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2008-12-05 23:46 . 2003-03-03 14:26 118,784 -ra------ c:\windows\system32\Prounstl.exe
2008-12-05 23:46 . 2003-07-28 04:55 24,064 -ra------ c:\windows\system32\IntelNic.dll
2008-12-05 23:46 . 2003-02-03 04:26 12,288 -ra------ c:\windows\system32\e100bmsg.dll
2008-12-05 23:46 . 2002-06-27 04:53 5,110 -ra------ c:\windows\system32\e100b325.din
2008-12-05 23:45 . 2004-01-02 01:52 1,646,720 -ra------ c:\windows\system32\drivers\w22n51.sys
2008-12-05 15:48 . 2008-12-05 15:48 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 10:51 . 2008-12-05 10:51 <DIR> d-------- c:\windows\A6W_DATA
2008-12-05 10:51 . 2008-12-05 10:51 11,613 --a------ c:\windows\Run32A60.mch
2008-12-05 10:51 . 2008-12-05 10:51 87 --a------ c:\windows\Production and Operations Analysis.mh
2008-12-05 10:51 . 2008-12-05 10:51 35 --a------ c:\windows\A6W.INI
2008-11-30 15:40 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-11-29 17:43 . 2008-11-29 17:45 <DIR> d-------- c:\documents and settings\Koen\Application Data\RegTool
2008-11-29 16:57 . 2003-11-16 08:33 344,064 --a------ c:\windows\system32\w22NCPA.dll
2008-11-28 23:00 . 2008-12-12 11:10 <DIR> dr-h----- c:\documents and settings\Koen\Onlangs geopend
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-11-30 14:48 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 19:37 65,536 ----a-w c:\windows\DUMP27dc.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B8674-8B07-4731-929F-C388B0166C6A}]
2003-04-08 12:00 105472 --a------ c:\windows\system32\whkonck.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-26 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-26 118784]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2004-03-29 10:36 253952]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe" [2003-08-03 86073]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 24576 c:\windows\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2004-04-01 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2003-12-02 c:\windows\system32\TFNF5.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 15:49 110592 c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
2003-04-08 12:00 105472 c:\windows\system32\whkonck.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-30 15:46 192512 c:\program files\Apoint2K\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2003-04-08 12:00 13312 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 14:08 1511453 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-02-12 10:42 1019904 c:\program files\Toshiba\PadTouch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2004-03-30 12:13 118784 c:\program files\Toshiba\TOSHIBA-zoomutility\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 02:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-15 16:13 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-03-11 12:55 122880 c:\program files\Toshiba\TouchED\TouchED.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"usnjsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"SCardDrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"CCALib8"=2 (0x2)
"BITS"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
R0 mvqttwxg;mvqttwxg;c:\windows\System32\drivers\mvqt twxg.sys [2004-04-20 23424]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-04-17 124608]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bpjwpzni
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS VERWIJDERD - - - -
BHO-{BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - c:\docume~1\Koen\LOCALS~1\Temp\dmE.dll
MSConfigStartUp-LNM Client - c:\program files\LNM Client\Client.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-Device Detector - DevDetect.exe
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\program files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
c:\windows\Downloaded Program Files\CONFLICT.1\AgentInstaller.dll - O16 -: {89869334-AA13-489A-9A07-2BA062714A29}
hxxp://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
c:\windows\Downloaded Program Files\AgentInstaller.dll - O16 -: {C9A703E2-3145-11D8-813C-005022E14DE2}
hxxp://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
FF - ProfilePath - c:\documents and settings\Koen\Application Data\Mozilla\Firefox\Profiles\xlgx64m3.default\
FF - prefs.js: browser.startup.homepage - hxxps://cas.kuleuven.be/cas/login?service=https%3A%2F%2Fidp.kuleuven.be%2Fshib boleth-idp%2FSSO%3Bjsessionid%3D5461CB888E4C4FFD4104C4808 FB4CA5E%3Fshire%3Dhttps%253A%252F%252Fcygnus.cc.ku leuven.be%252FShibboleth.sso%252FSAML%252FArtifact %26time%3D1225970665%26target%3Dcookie%26providerI d%3Dhttps%253A%252F%252Fcygnus.cc.kuleuven.be
FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 11:26:36
Windows 5.1.2600 Service Pack 1 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\System32\ODBC32.dll
c:\windows\System32\LgNotify.dll
- - - - - - - > 'lsass.exe'(840)
c:\windows\System32\dssenh.dll
.
Voltooingstijd: 2008-12-12 11:31:19
ComboFix-quarantined-files.txt 2008-12-12 10:31:16
Pre-Run: 19.404.111.872 bytes beschikbaar
Post-Run: 19,468,681,216 bytes beschikbaar
winxpsp1_nl_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
167
en hier mijne logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:26, on 12/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6507 bytes
Groetjes
Rosty 12 December 2008, 14:59 Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
File::
C:\WINDOWS\SYSTEM32\whkonck.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B8674-8B07-4731-929F-C388B0166C6A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
Sla dit op op je Bureaublad als CFScript .
Sleep CFScript in ComboFix.exe zoals getoond in onderstaand voorbeeld :
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThis logje.
Keno 16 December 2008, 14:35 Hey
Hier zijn mijn logfiles
ComboFix 08-12-11.04 - Koen 2008-12-16 13:11:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.216 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Koen\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Koen\Bureaublad\CFScript.txt
FILE ::
c:\windows\SYSTEM32\whkonck.dll
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\SYSTEM32\whkonck.dll . . . . konden niet verwijderd worden
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))
.
2008-12-10 13:39 . 2007-02-12 12:41 2,732,032 --a------ c:\windows\system32\Netw2r32.dll
2008-12-10 13:39 . 2007-07-25 17:44 2,210,048 --a------ c:\windows\system32\drivers\w29n51.sys
2008-12-10 13:39 . 2007-02-12 12:40 557,056 --a------ c:\windows\system32\Netw2c32.dll
2008-12-08 21:27 . 2008-12-08 21:27 <DIR> d-------- c:\documents and settings\Koen\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-08 21:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 21:26 . 2008-12-08 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 21:26 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 -ra------ c:\windows\system32\drivers\e100b325.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2008-12-05 23:46 . 2003-03-03 14:26 118,784 -ra------ c:\windows\system32\Prounstl.exe
2008-12-05 23:46 . 2003-07-28 04:55 24,064 -ra------ c:\windows\system32\IntelNic.dll
2008-12-05 23:46 . 2003-02-03 04:26 12,288 -ra------ c:\windows\system32\e100bmsg.dll
2008-12-05 23:46 . 2002-06-27 04:53 5,110 -ra------ c:\windows\system32\e100b325.din
2008-12-05 23:45 . 2004-01-02 01:52 1,646,720 -ra------ c:\windows\system32\drivers\w22n51.sys
2008-12-05 15:48 . 2008-12-05 15:48 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 10:51 . 2008-12-05 10:51 <DIR> d-------- c:\windows\A6W_DATA
2008-12-05 10:51 . 2008-12-05 10:51 11,613 --a------ c:\windows\Run32A60.mch
2008-12-05 10:51 . 2008-12-05 10:51 87 --a------ c:\windows\Production and Operations Analysis.mh
2008-12-05 10:51 . 2008-12-05 10:51 35 --a------ c:\windows\A6W.INI
2008-11-30 15:40 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-11-29 17:43 . 2008-11-29 17:45 <DIR> d-------- c:\documents and settings\Koen\Application Data\RegTool
2008-11-29 16:57 . 2003-11-16 08:33 344,064 --a------ c:\windows\system32\w22NCPA.dll
2008-11-28 23:00 . 2008-12-16 13:08 <DIR> dr-h----- c:\documents and settings\Koen\Onlangs geopend
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-12 12:29 14,037 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2008-11-30 14:48 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 19:37 65,536 ----a-w c:\windows\DUMP27dc.tmp
.
((((((((((((((((((((((((((((( snapshot@2008-12-12_11.30.52,13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 19:19:34 40,960 ----a-r c:\windows\Installer\{5380063E-2909-4d72-BFA3-625881F2E78B}\PROSet.56285FC4_11A9_11D6_8473_00902 745D287.exe
+ 2008-12-12 12:29:29 40,960 ----a-r c:\windows\Installer\{5380063E-2909-4d72-BFA3-625881F2E78B}\PROSet.56285FC4_11A9_11D6_8473_00902 745D287.exe
- 2003-12-16 14:43:06 184,320 ----a-w c:\windows\system32\1XConfig.exe
+ 2003-12-16 15:43:06 184,320 ----a-w c:\windows\system32\1XConfig.exe
- 2003-12-16 14:54:00 466,944 ----a-w c:\windows\system32\AdHocWiz.exe
+ 2003-12-16 15:54:00 466,944 ----a-w c:\windows\system32\AdHocWiz.exe
- 2003-12-16 14:44:18 212,992 ----a-w c:\windows\system32\C1XStngs.dll
+ 2003-12-16 15:44:18 212,992 ----a-w c:\windows\system32\C1XStngs.dll
- 2003-09-15 08:20:18 11,258 ----a-w c:\windows\system32\drivers\s24trans.sys
+ 2003-09-15 09:20:18 11,258 ----a-w c:\windows\system32\drivers\s24trans.sys
- 2003-11-26 11:21:00 487,424 ----a-w c:\windows\system32\IntelAE5.dll
+ 2003-11-26 12:21:00 487,424 ----a-w c:\windows\system32\IntelAE5.dll
- 2003-12-16 14:49:34 110,592 ----a-w c:\windows\system32\LgNotify.dll
+ 2003-12-16 15:49:34 110,592 ----a-w c:\windows\system32\LgNotify.dll
- 2003-04-08 11:00:00 1,015,808 ----a-w c:\windows\system32\libeay32.dll
+ 2003-04-17 11:35:00 651,264 ----a-w c:\windows\system32\libeay32.dll
- 2003-12-16 14:42:14 221,184 ----a-w c:\windows\system32\PfMgrApi.dll
+ 2003-12-16 15:42:14 221,184 ----a-w c:\windows\system32\PfMgrApi.dll
- 2003-12-16 14:49:26 397,312 ----a-w c:\windows\system32\PfWizard.exe
+ 2003-12-16 15:49:26 397,312 ----a-w c:\windows\system32\PfWizard.exe
- 2003-12-16 14:54:40 221,184 ----a-w c:\windows\system32\Pn802_11.dll
+ 2003-12-16 15:54:40 221,184 ----a-w c:\windows\system32\Pn802_11.dll
- 2003-12-16 14:47:22 880,640 ----a-w c:\windows\system32\PsGuiMgr.dll
+ 2003-12-16 15:47:22 880,640 ----a-w c:\windows\system32\PsGuiMgr.dll
- 2003-12-16 14:41:52 172,032 ----a-w c:\windows\system32\PsRegApi.dll
+ 2003-12-16 15:41:52 172,032 ----a-w c:\windows\system32\PsRegApi.dll
- 2003-12-16 14:41:40 122,880 ----a-w c:\windows\system32\RegSrvc.exe
+ 2003-12-16 15:41:40 122,880 ----a-w c:\windows\system32\RegSrvc.exe
- 2003-12-16 14:42:32 311,363 ----a-w c:\windows\system32\S24EvMon.exe
+ 2003-12-16 15:42:32 311,363 ----a-w c:\windows\system32\S24EvMon.exe
- 2003-12-16 14:42:36 69,632 ----a-w c:\windows\system32\S24MUDLL.DLL
+ 2003-12-16 15:42:36 69,632 ----a-w c:\windows\system32\S24MUDLL.DLL
- 2003-10-13 08:44:10 13,528 ----a-w c:\windows\system32\s24NCfg.dll
+ 2003-10-13 09:44:10 13,528 ----a-w c:\windows\system32\s24NCfg.dll
- 2003-12-16 14:55:20 221,184 ----a-w c:\windows\system32\SbrngAPI.dll
+ 2003-12-16 15:55:20 221,184 ----a-w c:\windows\system32\SbrngAPI.dll
- 2003-12-16 14:42:20 49,152 ----a-w c:\windows\system32\SbrngSvc.exe
+ 2003-12-16 15:42:20 49,152 ----a-w c:\windows\system32\SbrngSvc.exe
- 2003-10-13 08:47:12 65,536 ----a-w c:\windows\system32\SMSUnins.dll
+ 2003-10-13 09:47:12 65,536 ----a-w c:\windows\system32\SMSUnins.dll
- 2003-04-17 10:35:00 147,456 ----a-w c:\windows\system32\ssleay32.dll
+ 2003-04-17 11:35:00 147,456 ----a-w c:\windows\system32\ssleay32.dll
- 2003-05-28 11:55:12 2,288 ----a-w c:\windows\system32\TPIDI16.DLL
+ 2003-05-28 12:55:12 2,288 ----a-w c:\windows\system32\TPIDI16.DLL
- 2003-05-28 11:55:12 78,096 ----a-w c:\windows\system32\TPIDI32.dll
+ 2003-05-28 12:55:12 78,096 ----a-w c:\windows\system32\TPIDI32.dll
- 2003-05-28 11:55:14 142,256 ----a-w c:\windows\system32\TPIDITST.exe
+ 2003-05-28 12:55:14 142,256 ----a-w c:\windows\system32\TPIDITST.exe
- 2003-12-16 14:43:36 552,960 ----a-w c:\windows\system32\WConfig.dll
+ 2003-12-16 15:43:36 552,960 ----a-w c:\windows\system32\WConfig.dll
- 2003-12-16 14:42:46 110,592 ----a-w c:\windows\system32\WiFiAdap.dll
+ 2003-12-16 15:42:46 110,592 ----a-w c:\windows\system32\WiFiAdap.dll
- 2003-12-16 14:48:16 258,048 ----a-w c:\windows\system32\WLANDLL.dll
+ 2003-12-16 15:48:16 258,048 ----a-w c:\windows\system32\WLANDLL.dll
- 2003-12-16 14:47:42 376,832 ----a-w c:\windows\system32\ZCfgSvc.exe
+ 2003-12-16 15:47:42 376,832 ----a-w c:\windows\system32\ZCfgSvc.exe
.
-- Snapshot teruggezet naar huidige datum --
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B8674-8B07-4731-929F-C388B0166C6A}]
2003-04-08 12:00 105472 --a------ c:\windows\system32\whkonck.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D59E2-08A5-49E1-A7AE-4D913330C6D1}]
c:\docume~1\Koen\LOCALS~1\Temp\dmE.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-26 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-26 118784]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2004-03-29 10:36 253952]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe" [2003-08-03 86073]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 24576 c:\windows\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2004-04-01 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2003-12-02 c:\windows\system32\TFNF5.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 16:49 110592 c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
2003-04-08 12:00 105472 c:\windows\system32\whkonck.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-30 15:46 192512 c:\program files\Apoint2K\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2003-04-08 12:00 13312 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 14:08 1511453 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-02-12 10:42 1019904 c:\program files\Toshiba\PadTouch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2004-03-30 12:13 118784 c:\program files\Toshiba\TOSHIBA-zoomutility\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 02:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-15 16:13 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-03-11 12:55 122880 c:\program files\Toshiba\TouchED\TouchED.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"usnjsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"SCardDrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"CCALib8"=2 (0x2)
"BITS"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
R0 mvqttwxg;mvqttwxg;c:\windows\System32\drivers\mvqt twxg.sys [2004-04-20 23424]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-04-17 124608]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bpjwpzni
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\program files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
c:\windows\Downloaded Program Files\CONFLICT.1\AgentInstaller.dll - O16 -: {89869334-AA13-489A-9A07-2BA062714A29}
hxxp://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
c:\windows\Downloaded Program Files\AgentInstaller.dll - O16 -: {C9A703E2-3145-11D8-813C-005022E14DE2}
hxxp://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
FF - ProfilePath - c:\documents and settings\Koen\Application Data\Mozilla\Firefox\Profiles\xlgx64m3.default\
FF - prefs.js: browser.startup.homepage - hxxps://cas.kuleuven.be/cas/login?service=https%3A%2F%2Fidp.kuleuven.be%2Fshib boleth-idp%2FSSO%3Bjsessionid%3D5461CB888E4C4FFD4104C4808 FB4CA5E%3Fshire%3Dhttps%253A%252F%252Fcygnus.cc.ku leuven.be%252FShibboleth.sso%252FSAML%252FArtifact %26time%3D1225970665%26target%3Dcookie%26providerI d%3Dhttps%253A%252F%252Fcygnus.cc.kuleuven.be
FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 13:17:46
Windows 5.1.2600 Service Pack 1 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\windows\System32\ODBC32.dll
c:\windows\System32\LgNotify.dll
- - - - - - - > 'lsass.exe'(680)
c:\windows\System32\dssenh.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\RegSrvc.exe
c:\program files\flexnet\i486_nt\obj\ptc_d.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-12-16 13:27:20 - machine werd herstart
ComboFix-quarantined-files.txt 2008-12-16 12:27:16
ComboFix2.txt 2008-12-12 10:31:20
Pre-Run: 19.417.403.392 bytes beschikbaar
Post-Run: 19,419,152,384 bytes beschikbaar
246
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:44, on 16/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6392 bytes
groetjes
Rosty 16 December 2008, 19:21 Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
File::
c:\windows\SYSTEM32\whkonck.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
Sla dit op op je Bureaublad als CFScript .
Sleep CFScript in ComboFix.exe zoals getoond in onderstaand voorbeeld :
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.
Keno 18 December 2008, 14:42 Hey
Ik heb het eens laten lopen en nu deed hij precies iets anders
Ik heb ook een logfile gemaakt
ComboFix 08-12-11.04 - Koen 2008-12-18 13:18:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.31.1043.18.268 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Koen\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Koen\Bureaublad\CFScript.txt
FILE ::
c:\windows\SYSTEM32\whkonck.dll
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\SYSTEM32\whkonck.dll . . . . konden niet verwijderd worden
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-11-18 to 2008-12-18 ))))))))))))))))))))))))))))))
.
2008-12-10 13:39 . 2007-02-12 12:41 2,732,032 --a------ c:\windows\system32\Netw2r32.dll
2008-12-10 13:39 . 2007-07-25 17:44 2,210,048 --a------ c:\windows\system32\drivers\w29n51.sys
2008-12-10 13:39 . 2007-02-12 12:40 557,056 --a------ c:\windows\system32\Netw2c32.dll
2008-12-08 21:27 . 2008-12-08 21:27 <DIR> d-------- c:\documents and settings\Koen\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-08 21:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 21:26 . 2008-12-08 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 21:26 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 21:26 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 -ra------ c:\windows\system32\drivers\e100b325.sys
2008-12-05 23:46 . 2003-12-29 15:00 153,088 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2008-12-05 23:46 . 2003-03-03 14:26 118,784 -ra------ c:\windows\system32\Prounstl.exe
2008-12-05 23:46 . 2003-07-28 04:55 24,064 -ra------ c:\windows\system32\IntelNic.dll
2008-12-05 23:46 . 2003-02-03 04:26 12,288 -ra------ c:\windows\system32\e100bmsg.dll
2008-12-05 23:46 . 2002-06-27 04:53 5,110 -ra------ c:\windows\system32\e100b325.din
2008-12-05 23:45 . 2004-01-02 01:52 1,646,720 -ra------ c:\windows\system32\drivers\w22n51.sys
2008-12-05 15:48 . 2008-12-05 15:48 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 10:51 . 2008-12-05 10:51 <DIR> d-------- c:\windows\A6W_DATA
2008-12-05 10:51 . 2008-12-05 10:51 11,613 --a------ c:\windows\Run32A60.mch
2008-12-05 10:51 . 2008-12-05 10:51 87 --a------ c:\windows\Production and Operations Analysis.mh
2008-12-05 10:51 . 2008-12-05 10:51 35 --a------ c:\windows\A6W.INI
2008-11-30 15:40 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2008-11-29 17:43 . 2008-11-29 17:45 <DIR> d-------- c:\documents and settings\Koen\Application Data\RegTool
2008-11-29 16:57 . 2003-11-16 08:33 344,064 --a------ c:\windows\system32\w22NCPA.dll
2008-11-28 23:00 . 2008-12-18 13:16 <DIR> dr-h----- c:\documents and settings\Koen\Onlangs geopend
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-12 12:29 14,037 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2008-11-30 14:48 --------- d-----w c:\program files\Common Files\Adobe
2008-11-14 19:37 65,536 ----a-w c:\windows\DUMP27dc.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B8674-8B07-4731-929F-C388B0166C6A}]
2003-04-08 12:00 105472 --a------ c:\windows\system32\whkonck.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D59E2-08A5-49E1-A7AE-4D913330C6D1}]
c:\docume~1\Koen\LOCALS~1\Temp\dmE.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-26 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-26 118784]
"00THotkey"="c:\windows\System32\00THotkey.exe" [2004-03-29 10:36 253952]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe" [2003-08-03 86073]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"000StTHK"="000StTHK.exe" [2001-06-23 19:28 24576 c:\windows\system32\000StTHK.exe]
"TPSMain"="TPSMain.exe" [2004-04-01 c:\windows\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" [BU]
"TFNF5"="TFNF5.exe" [2003-12-02 c:\windows\system32\TFNF5.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-04-08 13312]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 16:49 110592 c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
2003-04-08 12:00 105472 c:\windows\system32\whkonck.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-30 15:46 192512 c:\program files\Apoint2K\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2003-04-08 12:00 13312 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 14:08 1511453 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-02-12 10:42 1019904 c:\program files\Toshiba\PadTouch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2004-03-30 12:13 118784 c:\program files\Toshiba\TOSHIBA-zoomutility\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 02:10 49263 c:\program files\Java\jre1.5.0_09\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-15 16:13 65536 c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2003-03-11 12:55 122880 c:\program files\Toshiba\TouchED\TouchED.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"usnjsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"SCardDrv"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"CCALib8"=2 (0x2)
"BITS"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
R0 mvqttwxg;mvqttwxg;c:\windows\System32\drivers\mvqt twxg.sys [2004-04-20 23424]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-04-17 124608]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bpjwpzni
*Newly Created Service* - CATCHME
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://c:\program files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
c:\windows\Downloaded Program Files\CONFLICT.1\AgentInstaller.dll - O16 -: {89869334-AA13-489A-9A07-2BA062714A29}
hxxp://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
c:\windows\Downloaded Program Files\AgentInstaller.dll - O16 -: {C9A703E2-3145-11D8-813C-005022E14DE2}
hxxp://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
FF - ProfilePath - c:\documents and settings\Koen\Application Data\Mozilla\Firefox\Profiles\xlgx64m3.default\
FF - prefs.js: browser.startup.homepage - hxxps://cas.kuleuven.be/cas/login?service=https%3A%2F%2Fidp.kuleuven.be%2Fshib boleth-idp%2FSSO%3Bjsessionid%3D5461CB888E4C4FFD4104C4808 FB4CA5E%3Fshire%3Dhttps%253A%252F%252Fcygnus.cc.ku leuven.be%252FShibboleth.sso%252FSAML%252FArtifact %26time%3D1225970665%26target%3Dcookie%26providerI d%3Dhttps%253A%252F%252Fcygnus.cc.kuleuven.be
FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 13:25:21
Windows 5.1.2600 Service Pack 1 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\windows\System32\ODBC32.dll
c:\windows\System32\LgNotify.dll
- - - - - - - > 'lsass.exe'(680)
c:\windows\System32\dssenh.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\flexnet\i486_nt\obj\lmgrd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\flexnet\i486_nt\obj\ptc_d.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
.
************************************************** ************************
.
Voltooingstijd: 2008-12-18 13:34:32 - machine werd herstart
ComboFix-quarantined-files.txt 2008-12-18 12:34:28
ComboFix2.txt 2008-12-16 12:27:22
ComboFix3.txt 2008-12-12 10:31:20
Pre-Run: 19.371.077.632 bytes beschikbaar
Post-Run: 19,361,017,856 bytes beschikbaar
187
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:22, on 18/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\flexnet\i486_nt\obj\ptc_d.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 audiostuurprogramma's\stacmon.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} - file://C:\Program Files\proeWildfire 3.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217940603837
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217942351860
O16 - DPF: {89869334-AA13-489A-9A07-2BA062714A29} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://img.lnm.eu/be.lnm.eu/client/LNMClientInstaller.cab
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexnet\i486_nt\obj\lmgrd.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6392 bytes
Groetjes
Rosty 20 December 2008, 09:46 Hoi,
open HijackThis, klik op do a scan only en vink volgende regels aan:
O2 - BHO: (no name) - {377B8674-8B07-4731-929F-C388B0166C6A} - c:\windows\system32\whkonck.dll
O2 - BHO: (no name) - {BC7D59E2-08A5-49E1-A7AE-4D913330C6D1} - C:\DOCUME~1\Koen\LOCALS~1\Temp\dmE.dll (file missing)
O20 - Winlogon Notify: vklcjrfi - C:\WINDOWS\SYSTEM32\whkonck.dll
Sluit alle open vensters, behalve Hijackthis, en klik op Fix Checked. Sluit HijackThis.
Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
File::
c:\windows\system32\whkonck.dll
Folder::
c:\docume~1\Koen\LOCALS~1\Temp\dmE.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377B8674-8B07-4731-929F-C388B0166C6A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC7D59E2-08A5-49E1-A7AE-4D913330C6D1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vklcjrfi]
Sla dit op op je Bureaublad als CFScript .
Sleep CFScript in ComboFix.exe zoals getoond in onderstaand voorbeeld :
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord.
|
|