Volledige versie bekijken : Traag pc+trojans
SuriNaruto 13 July 2009, 22:40 Uit het niks heb ik sinds een paar dagen een hele traage pc en trojan meldingen sommige zijn al weg maar ik krijg meldingen van cannot clean this file. maar wat moet ik doen want somminge zitten in me system Hier is mijn HijackThis log.
alvast bedankt voor het helpen:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:38:41, on 13-7-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\tempalbert\syst em32.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradigit.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ARC] C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\tempalbert\syst em32.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPointII.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04}: NameServer = 213.46.228.196,62.179.104.196
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
--
End of file - 11653 bytes
Tommiiee 14 July 2009, 11:12 Hoi :)
Ik ga je helpen met je log. Ik ben echter nog in opleiding, waardoor ik eerst al mijn adviezen moet laten goedkeuren door de echte helpers. Graag vraag ik je geduld hiervoor.
Mvg,
Tom ;)
SuriNaruto 14 July 2009, 13:04 ah thx maar ik krijg steeds van deze berichten van me nod32 zo ongeveer:
system root-trojan-unable to clean.Ik ben me pc nu aan het scannen en zodra hij klaar is post ik me NOD32 log
Tommiiee 14 July 2009, 13:04 Dat zou fijn zijn ;)
SuriNaruto 14 July 2009, 14:59 umm ik heb opnieuw ff hijackthis log gemaakt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:58:36, on 14-7-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\tempalbert\syst em32.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradigit.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ARC] C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\tempalbert\syst em32.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPointII.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04}: NameServer = 213.46.228.196,62.179.104.196
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
ESETNOD32:
Scan Log
Version of virus signature database: 4240 (20090713)
Date: 14-7-2009 Time: 9:41:33
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\wjxqmnar.default\ext ensions\fireform@mozilla.org\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\wjxqmnar.default\ext ensions\{096fce39-df8c-49ad-a4ce-9ef4a875bb76}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\hpathbp_eur_proper_ps p-ind.rar » RAR » ind-hphpp.iso - Incorrect file checksum (CRC); the file is probably password protected.
C:\Documents and Settings\Eigenaar\Bureaublad\hpathbp_eur_proper_ps p-ind.rar » RAR » readme.txt - Incorrect file checksum (CRC); the file is probably password protected.
C:\Documents and Settings\Eigenaar\Bureaublad\StepMania-3.9.exe » NSIS » ArtistDisplay.redir » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\StepMania-3.9.exe » NSIS » ScreenGameplay player.redir » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\StepMania-3.9.exe » NSIS » Banner mode.redir » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\StepMania-3.9.exe » NSIS » ScreenNameEntry step.redir » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Euro Gunz v8.5.6.exe » RAR » GunzLauncher.exe - probably a variant of Win32/TrojanDownloader.Agent trojan
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Firefox Setup 3.0.1.exe » 7ZIP » nonlocalized/chrome/browser.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Firefox Setup 3.0.1.exe » 7ZIP » nonlocalized/chrome/comm.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Firefox Setup 3.0.1.exe » 7ZIP » nonlocalized/chrome/pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Firefox Setup 3.0.1.exe » 7ZIP » nonlocalized/chrome/reporter.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Firefox Setup 3.0.1.exe » 7ZIP » nonlocalized/chrome/toolkit.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\PSP HACK\PSP CSO{}ISO\SmackVSRaw09\WWE Smackdown Vs Raw 2009.iso » ISO » G - archive damaged
C:\Documents and Settings\Eigenaar\Bureaublad\michael\PSP HACK\PSP CSO{}ISO\vahalla knights\Valhalla_Knights_2_C.Jackson.part1.rar » RAR » Valhalla Knights 2.iso - next archive volume not found
C:\Documents and Settings\Eigenaar\Bureaublad\michael\PSP HACK\PSP custom firmwares\Gboot_Creator_V_1.5.rar » RAR » Gboot Creator V 1.5\incase\klcodec462f.exe » INNO » - unsupported option
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Starwars\Jedi Academy.part1.rar » RAR » StarWars_JediAcademy_D1.iso » ISO » assets0.pk3 » ZIP » music/yavin2_old/yavtemp_explore.mp3 - archive damaged
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Starwars\Star Wars_JediAcademy_D1.iso » ISO » license.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Starwars\Star Wars_JediAcademy_D1.iso » ISO » license.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Starwars\Star Wars_JediAcademy_D1.iso » ISO » Launch.exe - archive damaged
C:\Documents and Settings\Eigenaar\Bureaublad\michael\Starwars\Star Wars_JediAcademy_D2.iso » ISO » trouble.rtf - archive damaged
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@shopathome[2].txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Identities\{3D809A35-2942-48D1-B2AD-77DB022A5AD0}\Microsoft\Outlook Express\Postvak IN.dbx » DBX - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Identities\{3D809A35-2942-48D1-B2AD-77DB022A5AD0}\Microsoft\Outlook Express\Postvak UIT.dbx » DBX - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~vis0000\dtslatestinstaller.exe » NSIS » s » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~vis0000\dtslatestinstaller.exe » NSIS » file.bin » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~vis0000\dtslatestinstaller.exe » NSIS » file.bin » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~vis0000\dtslatestinstaller.exe » NSIS » file.bin » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~vis0000\dtslatestinstaller.exe » NSIS » file.bin » MIME - is OK (internal scanning not performed)
C:\Gboot Creator V 1.5\incase\klcodec462f.exe » INNO » - unsupported option
C:\Program Files\Ahead\Nero\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)
C:\Program Files\Ahead\NeroVision\NeroFiles\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)
C:\Program Files\EPSON\Utility Suite\Copy Utility\ReadMe\ReadMe.def » MIME - is OK (internal scanning not performed)
C:\Program Files\EPSON\Utility Suite\Copy Utility\ReadMe\ReadMe_de.def » MIME - is OK (internal scanning not performed)
C:\Program Files\EPSON\Utility Suite\Copy Utility\ReadMe\ReadMe_fr.def » MIME - is OK (internal scanning not performed)
C:\Program Files\EPSON\Utility Suite\Copy Utility\ReadMe\ReadMe_nl.def » MIME - is OK (internal scanning not performed)
C:\Program Files\EPSON\Utility Suite\Copy Utility\ReadMe\fr\License.txt » MIME - is OK (internal scanning not performed)
C:\Program Files\Euro Gunz Client 8.5.6\GunzLauncher.exe - probably a variant of Win32/TrojanDownloader.Agent trojan - cleaned by deleting - quarantined [1]
C:\Program Files\Euro Gunz Client 8.5.6\loveuro.exe » RAR » GunzLauncher.exe - probably a variant of Win32/TrojanDownloader.Agent trojan
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\browser.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\comm.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\reporter.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Real\RealPlayer\browserrecord\chrome.manifes t » MIME - is OK (internal scanning not performed)
C:\Program Files\Siber Systems\AI RoboForm\license-es.txt » MIME - is OK (internal scanning not performed)
C:\Program Files\Siber Systems\AI RoboForm\license-it.txt » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ArtistDisplay .redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\GroupList label.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\HelpDisplay.r edir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenEvaluat ion PlayerName.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenGamepla y ActiveAttackList.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenGamepla y player options.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenGamepla y player.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenGamepla y song options.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenOptions player.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenSelectM usic rank.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenSystemL ayer message.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenSystemL ayer stats.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenSystemL ayer time.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenTitleMe nu help.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenTitleMe nu LifeDifficulty.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenTitleMe nu MaxStages.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\ScreenUnlock text.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Fonts\_missing.redi r » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Graphics\Banner mode.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Graphics\Banner sort.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\StepMania\Themes\default\Sounds\ScreenNameEn try step.redir » MIME - is OK (internal scanning not performed)
C:\Program Files\WinRAR\Default.SFX » RAR » - next archive volume not found
C:\WINDOWS\I386\COMPDATA\MSMQCOMP.TXT » MIME - is OK (internal scanning not performed)
C:\WINDOWS\system32\azton.mt - Win32/Pinit.Y worm - cleaned by deleting - quarantined [1]
C:\WINDOWS\system32\qouit - Win32/Pinit virus - cleaned - quarantined
Number of scanned objects: 400757
Number of threats found: 6
Number of cleaned objects: 3
Time of completion: 14:53:30 Total scanning time: 18717 sec (05:11:57)
Notes:
[1] Object has been deleted as it only contained the virus body.
[4] Object cannot be opened. It may be in use by another application or operating system.
SuriNaruto 14 July 2009, 19:34 ik heb ergens gelzen da zulke dingen snel moeten worden behandeld.Dus help me
ZSM alvast bedankt ^^
EDIT:OMG IK KREEG BLUE SCREEN WAT MOET IK DOEN HELP ME ZSM.
Ik wil niet dat ik weer moet gaan formateren maar als het moet darn...
Tommiiee 15 July 2009, 03:03 Wat was je aan het doen tijdens de BSOD, en wat was de code die werd weergegeven op het BSOD?
En rustig aan hè. We gaan je wel helpen. We doen allemaal ons best.
Als je liever direct geholpen wordt door een Spyware Slayer kun je dat ook aangeven.
SuriNaruto 15 July 2009, 14:37 wat is BSOD? dat moet ik eerst weten he :D
umm jij bent it de leer dus misschien is het beter om een spywareslayer mij te helpen samen met jouw want dan kan je ook nog meer dingens leren want anders wilt straks niemand dat je helpt en dan word je geen SS;)
hier is nog screen shot van de virussen die unable to clean zijn:
http://i31.tinypic.com/2rfv4ud.jpg
Tommiiee 15 July 2009, 18:59 Hoi SuriNaruto :)
BSOD = Blue Screen of Death ;)
----------------------------
Heb je Hotspot Shield zelf geïnstalleerd?
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
Dubbelklik op het programma HijackThis.
Kies voor 'Do a system scan only'.
Vink alleen de onderstaande, vetgedrukte items hieronder aan:
O4 - HKLM\..\Run: [ARC] C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\tempalbert\syst em32.exe
Sluit alle vensters behalve Hijackthis.
Klik op 'Fix checked' om de items te verwijderen.
Download MalwareBytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) en sla het op je bureaublad op.
Dubbelklik op mbam-setup.exe om het programma te installeren.
Zorg dat er na de installatie een vinkje is geplaatst bij:
Update MalwareBytes' Anti-Malware
Start MalwareBytes' Anti-Malware
Klik daarna op Voltooien.
Indien een update gevonden wordt zal die gedownload en geïnstalleerd worden.
Zodra het programma gestart is ga dan naar het tabblad Instellingen.
Vink hier aan: Sluit Internet Explorer tijdens verwijdering van malware.
Ga daarna naar het tabblad Scanner, kies hier voor Snelle Scan.
Druk vervolgens op Scannen om de scan te starten.
Het scannen kan een tijdje duren dus wees geduldig.
Wanneer de scan voltooid is klik op OK, daarna Bekijk Resultaten om de resultaten te zien.
Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.
Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.
Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de Logs tab te klikken in het programma.
Plaats de inhoud van dat log in je volgende bericht, met een nieuw HijackThis log.
SuriNaruto 15 July 2009, 20:28 BSOD kreeg ik toen ik mijn IE-browser opende
Ja ik heb hotspotshield zelf geinstaleerd
umm na dat de maleware scan pc herstarte kreeg ik weer de zelfde virus meldingen van nod32 als dit nog 1keer gebeurt wanneer ik mijn pc opstart meld ik het hier.en na het opstarten is mijn pc nog steeds een beetje traag maar wel sneller.
En hier zijn de logs
MaleWare Log:
Malwarebytes' Anti-Malware 1.39
Database versie: 2434
Windows 5.1.2600 Service Pack 2
15-7-2009 20:08:28
mbam-log-2009-07-15 (20-08-28).txt
Scan type: Snelle Scan
Objecten gescand: 80299
Verstreken tijd: 5 minute(s), 52 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 1
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 1
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 7
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (Trojan.TDSS) -> Delete on reboot.
Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL \CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
C:\WINDOWS\mqcd.dbt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qzhr1.ant (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files\SetupRes2.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\program files\CustomProductUI.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\Eigenaar\local settings\Temp\ewrcomxnas.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\azton.mt (Worm.Mario) -> Quarantined and deleted successfully.
Hier is nieuwe hijackthislog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18:13, on 15-7-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradigit.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPointII.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04}: NameServer = 213.46.228.196,62.179.104.196
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 11715 bytes
Tommiiee 15 July 2009, 22:37 Hoi SuriNaruto :)
Volg deze (http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden) instructies om Combofix te downloaden naar je Bureaublad.
Indien je Combofix al eerder hebt gebruikt kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
OPMERKING: indien je tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op Combofix.exe
Volg de instructies, aanvaard de disclaimer door op Ja te klikken.
Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het Query - Recovery Console venster.
Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix NIET in het venster klikken want dit zal je pc doen vastlopen.
Wanneer de fix voltooid is en na herstart
zal de log Combofix.txt openen.
SuriNaruto 16 July 2009, 22:44 umm dat gedaan moest ik de log van CF posten ach i doe het gewoon hopelijk is door dit mijn pc gefixed zo niet als ik van nod32 weer berichten krijg meld ik het ik herstart me pc straks om te kijken.heb je nog andere logs nodig?
hier is log combofix:
ComboFix 09-07-14.08 - Eigenaar 16-07-2009 22:16.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.479.204 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\autorun.inf
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-06-16 to 2009-07-16 ))))))))))))))))))))))))))))))
.
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Malwarebytes
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 14:23 . 2009-07-16 19:02 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-07-15 14:22 . 2009-07-15 14:22 -------- d-sh--w- c:\documents and settings\Eigenaar\IECompatCache
2009-07-14 17:32 . 2009-07-14 17:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-14 17:32 . 2009-07-14 17:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-14 17:32 . 2009-07-14 17:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-14 17:32 . 2008-06-02 13:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-14 17:32 . 2009-07-14 17:47 -------- d-----w- c:\program files\Spyware Doctor
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\PC Tools
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\PC Tools
2009-07-14 04:24 . 2009-07-14 04:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-12 12:29 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-12 12:29 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-12 12:29 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-12 12:27 . 2008-03-05 14:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-07-12 12:26 . 2007-04-04 16:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-07-12 12:12 . 2009-07-12 12:25 -------- d--h--w- c:\windows\msdownld.tmp
2009-07-12 12:11 . 2009-07-12 12:11 -------- d-----w- c:\windows\Logs
2009-07-09 15:55 . 2009-07-09 15:55 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\PCHealth
2009-07-09 15:55 . 2009-07-09 15:55 -------- d-----w- c:\docume~1\Eigenaar\LOCALS~1\APPLIC~1\PCHealth
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- C:\Hotspot Shield
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- C:\ijji
2009-07-08 15:37 . 2009-01-28 12:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-08 15:37 . 2008-06-11 21:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\NHN USA
2009-07-08 15:37 . 2009-05-26 15:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-08 15:37 . 2009-05-12 18:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-07 11:22 . 2009-07-07 11:22 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Megaupload
2009-07-07 11:22 . 2009-07-07 11:22 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\Megaupload
2009-07-07 10:09 . 2009-07-07 10:28 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2009-07-07 10:09 . 2009-07-07 10:28 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\vlc
2009-07-05 11:27 . 2009-07-05 11:27 -------- d-sh--w- c:\documents and settings\Eigenaar\PrivacIE
2009-07-05 11:03 . 2009-07-05 11:06 -------- dc-h--w- c:\windows\ie8
2009-07-04 19:28 . 2009-07-04 19:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 18:58 . 2009-07-04 18:58 -------- d-sh--w- c:\documents and settings\Eigenaar\IETldCache
2009-07-04 18:54 . 2009-07-05 16:07 -------- d-----w- c:\windows\ie8updates
2009-07-04 18:47 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 18:47 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 18:47 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-02 03:25 . 2009-07-02 03:25 25472 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-06-30 14:27 . 2009-06-30 14:27 -------- d-----w- c:\program files\PFPortChecker
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\docume~1\Eigenaar\LOCALS~1\APPLIC~1\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\TomTom
2009-06-27 20:09 . 2009-06-27 20:09 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-06-25 17:53 . 2009-07-02 09:07 -------- d-----w- c:\program files\LcdStudio
2009-06-25 14:58 . 2009-06-25 14:59 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\Logitech
2009-06-25 14:58 . 2009-06-25 14:59 -------- d-----w- c:\docume~1\Eigenaar\LOCALS~1\APPLIC~1\Logitech
2009-06-25 14:57 . 2009-06-25 14:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Logitech
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\LogiShrd
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\docume~1\Eigenaar\LOCALS~1\APPLIC~1\LogiShrd
2009-06-25 14:53 . 2008-09-26 07:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-06-25 14:50 . 2009-06-25 14:51 -------- d-----w- c:\program files\Common Files\Logishrd
2009-06-25 14:50 . 2009-06-25 14:57 -------- d-----w- c:\program files\Logitech
2009-06-25 14:49 . 2009-06-25 14:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LogiShrd
2009-06-24 16:16 . 2004-08-03 23:03 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-24 16:16 . 2004-08-03 23:03 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-24 16:16 . 2004-08-03 22:57 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-24 16:16 . 2004-08-03 22:57 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-06-19 11:52 . 2009-06-19 11:52 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\dvdcss
2009-06-19 11:52 . 2009-06-19 11:52 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\dvdcss
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-15 18:29 . 2009-04-10 15:16 -------- d-----w- c:\program files\Euro Gunz Client 8.5.6
2009-07-15 14:10 . 2009-05-16 16:35 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-14 17:59 . 2005-02-01 22:32 86442 ----a-w- c:\windows\system32\perfc013.dat
2009-07-14 17:59 . 2005-02-01 22:32 499456 ----a-w- c:\windows\system32\perfh013.dat
2009-07-09 20:39 . 2009-01-30 16:39 -------- d-----w- c:\program files\Hotspot Shield
2009-07-08 15:37 . 2008-11-09 17:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 19:20 . 2008-11-09 17:20 11482 ----a-w- c:\documents and settings\Eigenaar\Application Data\wklnhst.dat
2009-07-06 19:20 . 2008-11-09 17:20 11482 ----a-w- c:\docume~1\Eigenaar\APPLIC~1\wklnhst.dat
2009-07-04 19:44 . 2009-04-12 13:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\IJJIGame
2009-07-04 13:26 . 2009-04-20 12:46 -------- d-----w- c:\program files\StepMania
2009-07-03 22:22 . 2008-11-09 18:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\uTorrent
2009-07-03 22:22 . 2008-11-09 18:32 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\uTorrent
2009-07-02 02:34 . 2009-01-30 16:39 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-30 11:18 . 2009-03-04 10:59 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\U3
2009-06-30 11:18 . 2009-03-04 10:59 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\U3
2009-06-30 11:12 . 2008-11-10 11:43 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\AdobeUM
2009-06-30 11:12 . 2008-11-10 11:43 -------- d-----w- c:\docume~1\Eigenaar\APPLIC~1\AdobeUM
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-06-16 14:55 . 2005-02-01 22:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-02-01 22:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 12:41 . 2008-11-09 17:14 62744 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:41 . 2008-11-09 17:14 62744 ----a-w- c:\docume~1\Eigenaar\LOCALS~1\APPLIC~1\GDIPFONTCAC HEV1.DAT
2009-06-13 12:14 . 2008-11-10 11:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 12:12 . 2009-06-13 12:12 -------- d-----w- c:\program files\Adobe Media Player
2009-06-12 18:00 . 2009-06-12 17:43 -------- d-----w- c:\program files\PhotoScape
2009-06-12 14:49 . 2009-06-12 14:49 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-11 12:14 . 2009-01-19 19:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-06-09 18:35 . 2009-06-09 18:35 0 ----a-w- c:\windows\system32\cd.dat
2009-06-03 19:27 . 2005-02-01 22:31 1294848 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 10:41 . 2009-05-12 10:01 139 ----a-w- C:\chardump.bin
2009-05-13 05:06 . 2005-02-01 22:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2005-02-01 22:31 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-19 20:12 . 2005-02-01 22:32 1846784 ----a-w- c:\windows\system32\win32k.sys
2009-02-18 11:11 . 2009-02-18 11:11 3072 --sha-w- c:\program files\Thumbs.db
2009-06-12 16:03 . 2009-03-13 10:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-07-09 20:37 218160 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-18 160592]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-08-27 970752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE" [2004-03-04 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-24 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\docume~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2008-11-13 323584]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-9 262144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Euro Gunz Client 8.5.6\\loveur0.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6-2-2009 15:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [6-2-2009 15:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6-2-2009 15:23 727720]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [15-6-2009 23:21 331312]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [25-6-2009 16:53 10384]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [30-1-2009 18:39 33840]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2-7-2009 5:25 25472]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\tkrrkfpfhl.exe service --> c:\windows\TEMP\tkrrkfpfhl.exe service [?]
S2 nmghcslqv;Boot Helper;c:\windows\system32\svchost.exe -k netsvcs [2-2-2005 0:32 14336]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [2-7-2009 5:26 57640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [19-3-2009 16:48 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys --> c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [14-7-2009 19:32 356920]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nmghcslqv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS VERWIJDERD - - - -
WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.startpagina.nl/
uInternet Connection Wizard,ShellNext = hxxp://www.paradigit.nl/
uInternet Settings,ProxyOverride = <local>
IE: Formulieren opslaan - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Invul Formulieren - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Menu aanpassen - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RoboForm Werkbalk - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: {B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04} = 213.46.228.196,62.179.104.196
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\docume~1\Eigenaar\APPLIC~1\Mozilla\Firefox\Prof iles\wjxqmnar.default\
FF - prefs.js: browser.startup.homepage - startpagina.nl
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 22:33
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden:
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(1444)
geyekrdlxmqlkj.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Voltooingstijd: 2009-07-16 22:40
ComboFix-quarantined-files.txt 2009-07-16 20:39
Pre-Run: 13.540.380.672 bytes beschikbaar
Post-Run: 13.672.480.768 bytes beschikbaar
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
247 --- E O F --- 2009-07-15 16:09
SuriNaruto 16 July 2009, 23:35 ik had net mijn pc herstart en kreeg weer deze melding http://i31.tinypic.com/2rfv4ud.jpg
gelukkig was het alleen de melding van het ballon dus het onderste is al weg en de andere virussen dus nu zit ik met die ene virus van de ballon:wall:
Tommiiee 18 July 2009, 01:12 Hoi,
Open een kladblokbestand.
Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.
@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\Windows\system32\geyekrdlxmqlkj.dll
) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt
Ga naar Bestand - Opslaan als.
Bij "Opslaan in" kies je: Bureaublad
Bij "Bestandsnaam" zet je: del.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.
Start nu je PC op in Veilige Modus. Lees hier (http://www.pchelper.nl/forum/index.php?showtopic=18078) hoe dat moet.
Dubbelklik op del.bat en post de inhoud van de logfile die opent in je volgende bericht.
Laat ook even weten of je die melding nog krijgt van NOD32, en post een nieuw HijackThis-log.
Mvg,
Tom
SuriNaruto 18 July 2009, 17:41 deze virus melding heb ik nog steeds je heb me denk ik de verkeerde gegeven:
http://i32.tinypic.com/11gua1f.jpg
Hier zijn de logs:
Deleting files
C:\Windows\system32\geyekrdlxmqlkj.dll not found
hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:20, on 18-7-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradigit.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPointII.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04}: NameServer = 213.46.228.196,62.179.104.196
O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\tkrrkfpfhl.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 11549 bytes
Tommiiee 18 July 2009, 17:42 Hoi,
Zou je me even kunnen vertellen waar NOD32 dat bestand/die rootkit precies vindt?
SuriNaruto 19 July 2009, 14:30 ik krijg alleen dit ;
Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean
Tommiiee 19 July 2009, 15:24 Hoi,
Verwijder Combofix via Start --> Uitvoeren.
Typ Combofix /u en druk OK.
http://i78.photobucket.com/albums/j116/amateur_photos/CFuninstall.png
Leeg de quarantaine map van NOD32, en download Combofix opnieuw:
Volg deze (http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden) instructies om Combofix te downloaden naar je Bureaublad.
Indien je Combofix al eerder hebt gebruikt kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
OPMERKING: indien je tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op Combofix.exe
Volg de instructies, aanvaard de disclaimer door op Ja te klikken.
Indien de Recovery Console niet geïnstalleerd is, wordt je gevraagd om dit alsnog te doen door op JA te klikken in het Query - Recovery Console venster.
Klik op OK en Ja om automatisch de Recovery Console te laten installeren.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix NIET in het venster klikken want dit zal je pc doen vastlopen.
Wanneer de fix voltooid is en na herstart
zal de log Combofix.txt openen.
Plaats de inhoud van dat log in je volgende bericht.
SuriNaruto 20 July 2009, 16:20 hier is de log:
ComboFix 09-07-19.04 - Eigenaar 20-07-2009 15:53.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.479.189 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eigenaar\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-06-20 to 2009-07-20 ))))))))))))))))))))))))))))))
.
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 14:23 . 2009-07-20 13:43 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-07-15 14:22 . 2009-07-15 14:22 -------- d-sh--w- c:\documents and settings\Eigenaar\IECompatCache
2009-07-14 17:32 . 2009-07-14 17:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-14 17:32 . 2009-07-14 17:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-14 17:32 . 2009-07-14 17:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-14 17:32 . 2008-06-02 13:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-14 17:32 . 2009-07-14 17:47 -------- d-----w- c:\program files\Spyware Doctor
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\PC Tools
2009-07-14 04:24 . 2009-07-14 04:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-12 12:29 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-12 12:29 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-12 12:29 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-12 12:27 . 2008-03-05 14:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-07-12 12:26 . 2007-04-04 16:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-07-12 12:12 . 2009-07-12 12:25 -------- d--h--w- c:\windows\msdownld.tmp
2009-07-12 12:11 . 2009-07-12 12:11 -------- d-----w- c:\windows\Logs
2009-07-09 15:55 . 2009-07-09 15:55 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\PCHealth
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- C:\Hotspot Shield
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- C:\ijji
2009-07-08 15:37 . 2009-01-28 12:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-08 15:37 . 2008-06-11 21:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\NHN USA
2009-07-08 15:37 . 2009-05-26 15:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-08 15:37 . 2009-05-12 18:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-07 11:22 . 2009-07-07 11:22 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Megaupload
2009-07-07 10:09 . 2009-07-07 10:28 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2009-07-05 11:27 . 2009-07-05 11:27 -------- d-sh--w- c:\documents and settings\Eigenaar\PrivacIE
2009-07-05 11:03 . 2009-07-05 11:06 -------- dc-h--w- c:\windows\ie8
2009-07-04 19:28 . 2009-07-04 19:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 18:58 . 2009-07-04 18:58 -------- d-sh--w- c:\documents and settings\Eigenaar\IETldCache
2009-07-04 18:54 . 2009-07-05 16:07 -------- d-----w- c:\windows\ie8updates
2009-07-04 18:47 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 18:47 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 18:47 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-02 03:25 . 2009-07-02 03:25 25472 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-06-30 14:27 . 2009-06-30 14:27 -------- d-----w- c:\program files\PFPortChecker
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\TomTom
2009-06-27 20:09 . 2009-06-27 20:09 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-06-25 17:53 . 2009-07-02 09:07 -------- d-----w- c:\program files\LcdStudio
2009-06-25 14:58 . 2009-06-25 14:59 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\Logitech
2009-06-25 14:57 . 2009-06-25 14:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Logitech
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\LogiShrd
2009-06-25 14:53 . 2008-09-26 07:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-06-25 14:50 . 2009-06-25 14:51 -------- d-----w- c:\program files\Common Files\Logishrd
2009-06-25 14:50 . 2009-06-25 14:57 -------- d-----w- c:\program files\Logitech
2009-06-25 14:49 . 2009-06-25 14:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LogiShrd
2009-06-24 16:16 . 2004-08-03 23:03 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-24 16:16 . 2004-08-03 23:03 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-24 16:16 . 2004-08-03 22:57 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-24 16:16 . 2004-08-03 22:57 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-18 15:40 . 2009-03-30 12:10 -------- d-----w- c:\program files\PokerStars
2009-07-18 15:05 . 2009-06-12 17:43 -------- d-----w- c:\program files\PhotoScape
2009-07-15 18:29 . 2009-04-10 15:16 -------- d-----w- c:\program files\Euro Gunz Client 8.5.6
2009-07-15 14:10 . 2009-05-16 16:35 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-14 17:59 . 2005-02-01 22:32 86442 ----a-w- c:\windows\system32\perfc013.dat
2009-07-14 17:59 . 2005-02-01 22:32 499456 ----a-w- c:\windows\system32\perfh013.dat
2009-07-09 20:39 . 2009-01-30 16:39 -------- d-----w- c:\program files\Hotspot Shield
2009-07-08 15:37 . 2008-11-09 17:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 19:20 . 2008-11-09 17:20 11482 ----a-w- c:\documents and settings\Eigenaar\Application Data\wklnhst.dat
2009-07-04 19:44 . 2009-04-12 13:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\IJJIGame
2009-07-04 13:26 . 2009-04-20 12:46 -------- d-----w- c:\program files\StepMania
2009-07-03 22:22 . 2008-11-09 18:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\uTorrent
2009-07-02 02:34 . 2009-01-30 16:39 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-30 11:18 . 2009-03-04 10:59 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\U3
2009-06-30 11:12 . 2008-11-10 11:43 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\AdobeUM
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-06-19 11:52 . 2009-06-19 11:52 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\dvdcss
2009-06-16 14:55 . 2005-02-01 22:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-02-01 22:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 12:41 . 2008-11-09 17:14 62744 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:14 . 2008-11-10 11:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 12:12 . 2009-06-13 12:12 -------- d-----w- c:\program files\Adobe Media Player
2009-06-12 14:49 . 2009-06-12 14:49 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-11 12:14 . 2009-01-19 19:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-06-09 18:35 . 2009-06-09 18:35 0 ----a-w- c:\windows\system32\cd.dat
2009-06-03 19:27 . 2005-02-01 22:31 1294848 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 10:41 . 2009-05-12 10:01 139 ----a-w- C:\chardump.bin
2009-05-13 05:06 . 2005-02-01 22:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2005-02-01 22:31 345600 ----a-w- c:\windows\system32\localspl.dll
2009-02-18 11:11 . 2009-02-18 11:11 3072 --sha-w- c:\program files\Thumbs.db
2009-06-12 16:03 . 2009-03-13 10:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-07-09 20:37 218160 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-18 160592]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-08-27 970752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE" [2004-03-04 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-24 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\docume~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2008-11-13 323584]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-9 262144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Euro Gunz Client 8.5.6\\loveur0.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6-2-2009 15:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [6-2-2009 15:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6-2-2009 15:23 727720]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [15-6-2009 23:21 331312]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [25-6-2009 16:53 10384]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [30-1-2009 18:39 33840]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2-7-2009 5:25 25472]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\tkrrkfpfhl.exe service --> c:\windows\TEMP\tkrrkfpfhl.exe service [?]
S2 nmghcslqv;Boot Helper;c:\windows\system32\svchost.exe -k netsvcs [2-2-2005 0:32 14336]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [2-7-2009 5:26 57640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [19-3-2009 16:48 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys --> c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [14-7-2009 19:32 356920]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nmghcslqv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.startpagina.nl/
uInternet Connection Wizard,ShellNext = hxxp://www.paradigit.nl/
uInternet Settings,ProxyOverride = <local>
IE: Formulieren opslaan - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Invul Formulieren - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Menu aanpassen - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RoboForm Werkbalk - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: {B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04} = 213.46.228.196,62.179.104.196
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\docume~1\Eigenaar\APPLIC~1\Mozilla\Firefox\Prof iles\wjxqmnar.default\
FF - prefs.js: browser.startup.homepage - startpagina.nl
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 16:10
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden:
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(1440)
geyekrdlxmqlkj.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Voltooingstijd: 2009-07-20 16:16
ComboFix-quarantined-files.txt 2009-07-20 14:16
ComboFix2.txt 2009-07-16 20:40
Pre-Run: 20.120.662.016 bytes beschikbaar
Post-Run: 20.159.774.720 bytes beschikbaar
223 --- E O F --- 2009-07-15 16:09
SuriNaruto 20 July 2009, 16:36 heb zojuist mijn pc herstart en krijg weer deze melding:
Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean
had alle stappen gevolgd wat je zij.
Misschien is het beter om een ander fixer /cleaner te proberen of iemand raad plegen
Tommiiee 20 July 2009, 17:02 Misschien is het beter om een ander fixer /cleaner te proberen of iemand raad plegen
Al mijn fixes worden nagekeken door Spyware Slayers.
Heb navraag voor je gedaan. Je hoort de uitkomst vanzelf.
Tom
SuriNaruto 20 July 2009, 21:05 wat nu ik ga strx misschien die virus op internet tikke en kijke wat ik krijg
Tommiiee 21 July 2009, 02:01 Nuja, het is jouw PC, maar ik heb een mogelijke oplossing, alleen heeft mijn toeziende Spyware Slayer ook zo zijn gedachten. Ik mag pas posten als iets is goedgekeurd, en ik heb nog geen reactie terug.
Mosquitos 21 July 2009, 12:05 .....
Tommiiee 21 July 2009, 13:51 Hoi,
Download GMER hiervandaan:
http://www.gmer.net/gmer.zip
Pak de bestanden uit naar het bureaublad.
Let op: Sluit alle openstaande programma's/vensters!
Open GMER en klik op het Rootkit/Malware tabblad.
Zorg dat alle vakjes aan de rechterkant zijn aangevinkt, behalve "Show all".
http://i41.tinypic.com/2wg8via.gif
Klik op Scan (1).
http://i44.tinypic.com/jijosi.gif
Wanneer de scan klaar is, klik op Copy en plaats de resultaten in je volgende bericht.
SuriNaruto 21 July 2009, 21:07 ik kreeg een melding dat er een rootkit was gevonden ^^ hier is de log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-21 21:05:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 848F8A60 ZwOpenProcess
SSDT 848F8E80 ZwOpenThread
SSDT 848F9460 ZwSuspendProcess
SSDT 848F9280 ZwSuspendThread
SSDT 848F8C90 ZwTerminateProcess
SSDT 848F90B0 ZwTerminateThread
INT 0x62 ? 851DEBF8
INT 0x82 ? 851DEBF8
INT 0x83 ? 85171BF8
INT 0x84 ? 84F91F00
INT 0x94 ? 84F91F00
INT 0xA4 ? 84F91F00
INT 0xB4 ? 84F91F00
Code 84F00748 ZwEnumerateKey
Code 84F00670 ZwFlushInstructionCache
Code 84F00F36 ZwSaveKey
Code 84F00E5E ZwSaveKeyEx
Code 84ED12C6 IofCallDriver
Code 84ED1416 IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 84ED12CB
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 84ED141B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 84F00674
PAGE ntkrnlpa.exe!ZwSaveKey 806173DA 5 Bytes JMP 84F00F3A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061746A 5 Bytes JMP 84F00E62
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 84F0074C
? spwt.sys Het systeem kan het opgegeven bestand niet vinden. !
.text USBPORT.SYS!DllUnload F63A762C 5 Bytes JMP 84F914E0
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[316] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0291000A
.text C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe[448] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 009B000A
.text C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe[468] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 029C000A
.text C:\WINDOWS\Explorer.EXE[476] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B5000A
.text C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe[512] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003D000A
.text ...
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1040] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\SOUNDMAN.EXE[1060] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0092000A
.text C:\WINDOWS\SOUNDMAN.EXE[1060] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [84]
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1088] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0091000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1104] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes JMP 0292000A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[1104] ntdll.dll!LdrLoadDll + 4 7C915CBF 1 Byte [86]
.text ...
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!LoadResource 7C809FC5 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!FindResourceExW 7C80AC98 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!FindResourceW 7C80BBDE 7 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!SizeofResource 7C80BC79 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!FindResourceA 7C80BE99 7 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!LockResource 7C80CCA7 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!CreateEventA 7C8308C9 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] kernel32.dll!FindResourceExA 7C835FC0 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] ADVAPI32.dll!CryptDeriveKey 77F5A1A5 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] ADVAPI32.dll!CryptDecrypt 77F5A2D1 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!GetWindowLongW 7E3988A6 7 Bytes JMP 280069E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!PeekMessageW 7E39929B 5 Bytes JMP 280045B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!CreateWindowExW 7E39FC25 5 Bytes JMP 28003C70 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!SetWindowRgn 7E39FFB2 7 Bytes JMP 28005EC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!LoadIconW 7E3A0894 5 Bytes JMP 28006840 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!LoadImageW 7E3A2CFE 5 Bytes JMP 28006650 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!CreateDialogParamW 7E3A7D4F 5 Bytes JMP 28006000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!SetWindowPlacement 7E3AD84C 5 Bytes JMP 28005D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 280061F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] USER32.dll!TrackPopupMenuEx 7E3ECD28 5 Bytes JMP 28004E90 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WS2_32.dll!send 71A3428A 5 Bytes JMP 2800B1C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 2800AFA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WS2_32.dll!recv 71A3615A 5 Bytes JMP 2800AE00 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 2800B3A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 2800B5E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] SHELL32.dll!Shell_NotifyIconW 7CA21BEA 5 Bytes JMP 280033D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] ole32.dll!CoInitializeEx 774BEF6B 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] ole32.dll!CoCreateInstance 774BFAC3 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] ole32.dll!CoRegisterClassObject 774D8720 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WININET.dll!InternetReadFile 40CB654B 5 Bytes JMP 28009E50 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WININET.dll!InternetCloseHandle 40CB9088 5 Bytes JMP 2800A000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WININET.dll!HttpOpenRequestA 40CBD5E8 5 Bytes JMP 28009CC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2892] WININET.dll!HttpSendRequestA 40CCEEB9 5 Bytes JMP 28009F30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\WINDOWS\system32\DllHost.exe[2948] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 008C000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72C6040] spwt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72C613C] spwt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72C60BE] spwt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72C67FC] spwt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72C66D2] spwt.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 851CD1F8
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \FileSystem\Fastfat \FatCdrom 848A21F8
Device \Driver\usbohci \Device\USBPDO-0 84FA5500
Device \Driver\usbohci \Device\USBPDO-1 84FA5500
Device \Driver\usbohci \Device\USBPDO-2 84FA5500
Device \Driver\usbehci \Device\USBPDO-3 84FA4500
Device \Driver\NetBT \Device\NetBT_Tcpip_{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04} 84BEB500
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
Device \Driver\Ftdisk \Device\HarddiskVolume1 851DF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 851DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 851DE1F8
Device \Driver\atapi \Device\Ide\IdePort0 851DE1F8
Device \Driver\atapi \Device\Ide\IdePort1 851DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 851DE1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E5DCAD3B-62B4-4F85-AB9B-4EF4F1F4793C} 84BEB500
Device \Driver\NetBT \Device\NetBt_Wins_Export 84BEB500
Device \Driver\PCI_PNP1050 \Device\00000078 spwt.sys
Device \Driver\PCI_PNP1050 \Device\00000078 spwt.sys
Device \Driver\NetBT \Device\NetbiosSmb 84BEB500
Device \Driver\usbohci \Device\USBFDO-0 84FA5500
Device \Driver\usbohci \Device\USBFDO-1 84FA5500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84AE91F8
Device \Driver\usbohci \Device\USBFDO-2 84FA5500
Device \Driver\sptd \Device\612687300 spwt.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84AE91F8
Device \Driver\usbehci \Device\USBFDO-3 84FA4500
Device \Driver\NetBT \Device\NetBT_Tcpip_{D106D0AE-FE27-4E9C-A2D8-60F86FB003AF} 84BEB500
Device \Driver\Ftdisk \Device\FtControl 851DF1F8
Device \Driver\azvtxdk0 \Device\Scsi\azvtxdk01 84E911F8
Device \Driver\SiSRaid \Device\Scsi\SiSRaid1 851CE1F8
Device \FileSystem\Fastfat \Fat 848A21F8
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
Device \FileSystem\Cdfs \Cdfs 84E3F3E8
---- Threads - GMER 1.0.15 ----
Thread System [4:692] 848F7790
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE [316] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [360] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe [408] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe [448] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe [468] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [476] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe [512] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe [560] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe [568] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe [576] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe [584] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [672] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [784] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [968] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [1040] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\SOUNDMAN.EXE [1060] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [1088] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [1104] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE [1112] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1144] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe [1200] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [1208] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [1232] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1268] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Hotspot Shield\bin\openvpnas.exe [1308] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [1360] 0x00BB0000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\DAEMON Tools Lite\daemon.exe [1380] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1444] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1492] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1660] 0x00A80000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\SetPoint II\SetpointII.exe [1672] 0x003E0000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\sistray.exe [1712] 0x00960000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1756] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1924] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe [1992] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2012] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Documents and Settings\Eigenaar\Bureaublad\gmer.exe [2168] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2380] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2892] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\system32\DllHost.exe [2948] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3172] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Windows Live\Contacts\wlcomm.exe [3712] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll) (*** hidden *** ) @ C:\Program Files\Hotspot Shield\bin\openvpntray.exe [3888] 0x10000000
---- EOF - GMER 1.0.15 ----
Tommiiee 21 July 2009, 22:35 Hoi ;)
Open Kladblok.
Kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
File::
C:\Windows\system32\geyekrdlxmqlkj. dll
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThis log.
SuriNaruto 22 July 2009, 17:29 ComboFix 09-07-21.03 - Eigenaar 22-07-2009 16:03.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.479.187 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FILE ::
"c:\windows\system32\geyekrdlxmqlkj. dll"
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eigenaar\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-06-22 to 2009-07-22 ))))))))))))))))))))))))))))))
.
2009-07-21 16:07 . 2009-07-21 16:08 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Belastingdienst
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 14:23 . 2009-07-21 20:51 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-07-15 14:22 . 2009-07-15 14:22 -------- d-sh--w- c:\documents and settings\Eigenaar\IECompatCache
2009-07-14 17:32 . 2009-07-14 17:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-14 17:32 . 2009-07-14 17:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-14 17:32 . 2009-07-14 17:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-14 17:32 . 2008-06-02 13:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-14 17:32 . 2009-07-14 17:47 -------- d-----w- c:\program files\Spyware Doctor
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\PC Tools
2009-07-14 04:24 . 2009-07-14 04:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-12 12:29 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-12 12:29 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-12 12:29 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-12 12:27 . 2008-03-05 14:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-07-12 12:26 . 2007-04-04 16:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-07-12 12:12 . 2009-07-12 12:25 -------- d--h--w- c:\windows\msdownld.tmp
2009-07-12 12:11 . 2009-07-12 12:11 -------- d-----w- c:\windows\Logs
2009-07-09 15:55 . 2009-07-09 15:55 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\PCHealth
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- C:\Hotspot Shield
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- C:\ijji
2009-07-08 15:37 . 2009-01-28 12:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-08 15:37 . 2008-06-11 21:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\NHN USA
2009-07-08 15:37 . 2009-05-26 15:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-08 15:37 . 2009-05-12 18:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-07 11:22 . 2009-07-07 11:22 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Megaupload
2009-07-07 10:09 . 2009-07-07 10:28 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2009-07-05 11:27 . 2009-07-05 11:27 -------- d-sh--w- c:\documents and settings\Eigenaar\PrivacIE
2009-07-05 11:03 . 2009-07-05 11:06 -------- dc-h--w- c:\windows\ie8
2009-07-04 19:28 . 2009-07-04 19:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 18:58 . 2009-07-04 18:58 -------- d-sh--w- c:\documents and settings\Eigenaar\IETldCache
2009-07-04 18:54 . 2009-07-05 16:07 -------- d-----w- c:\windows\ie8updates
2009-07-04 18:47 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 18:47 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 18:47 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-02 03:25 . 2009-07-02 03:25 25472 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-06-30 14:27 . 2009-06-30 14:27 -------- d-----w- c:\program files\PFPortChecker
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\TomTom
2009-06-27 20:09 . 2009-06-27 20:09 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-06-25 17:53 . 2009-07-02 09:07 -------- d-----w- c:\program files\LcdStudio
2009-06-25 14:58 . 2009-06-25 14:59 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\Logitech
2009-06-25 14:57 . 2009-06-25 14:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Logitech
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\LogiShrd
2009-06-25 14:53 . 2008-09-26 07:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-06-25 14:50 . 2009-06-25 14:51 -------- d-----w- c:\program files\Common Files\Logishrd
2009-06-25 14:50 . 2009-06-25 14:57 -------- d-----w- c:\program files\Logitech
2009-06-25 14:49 . 2009-06-25 14:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LogiShrd
2009-06-24 16:16 . 2004-08-03 23:03 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-24 16:16 . 2004-08-03 23:03 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-24 16:16 . 2004-08-03 22:57 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-24 16:16 . 2004-08-03 22:57 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-21 18:30 . 2008-11-09 17:20 12426 ----a-w- c:\documents and settings\Eigenaar\Application Data\wklnhst.dat
2009-07-20 22:22 . 2009-06-19 11:52 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\dvdcss
2009-07-18 15:40 . 2009-03-30 12:10 -------- d-----w- c:\program files\PokerStars
2009-07-18 15:05 . 2009-06-12 17:43 -------- d-----w- c:\program files\PhotoScape
2009-07-15 18:29 . 2009-04-10 15:16 -------- d-----w- c:\program files\Euro Gunz Client 8.5.6
2009-07-15 14:10 . 2009-05-16 16:35 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-14 17:59 . 2005-02-01 22:32 86442 ----a-w- c:\windows\system32\perfc013.dat
2009-07-14 17:59 . 2005-02-01 22:32 499456 ----a-w- c:\windows\system32\perfh013.dat
2009-07-09 20:39 . 2009-01-30 16:39 -------- d-----w- c:\program files\Hotspot Shield
2009-07-08 15:37 . 2008-11-09 17:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-04 19:44 . 2009-04-12 13:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\IJJIGame
2009-07-04 13:26 . 2009-04-20 12:46 -------- d-----w- c:\program files\StepMania
2009-07-03 22:22 . 2008-11-09 18:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\uTorrent
2009-07-02 02:34 . 2009-01-30 16:39 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-30 11:18 . 2009-03-04 10:59 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\U3
2009-06-30 11:12 . 2008-11-10 11:43 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\AdobeUM
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-06-16 14:55 . 2005-02-01 22:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-02-01 22:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 12:41 . 2008-11-09 17:14 62744 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:14 . 2008-11-10 11:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 12:12 . 2009-06-13 12:12 -------- d-----w- c:\program files\Adobe Media Player
2009-06-12 14:49 . 2009-06-12 14:49 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-11 12:14 . 2009-01-19 19:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-06-09 18:35 . 2009-06-09 18:35 0 ----a-w- c:\windows\system32\cd.dat
2009-06-03 19:27 . 2005-02-01 22:31 1294848 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 10:41 . 2009-05-12 10:01 139 ----a-w- C:\chardump.bin
2009-05-13 05:06 . 2005-02-01 22:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2005-02-01 22:31 345600 ----a-w- c:\windows\system32\localspl.dll
2009-02-18 11:11 . 2009-02-18 11:11 3072 --sha-w- c:\program files\Thumbs.db
2009-06-12 16:03 . 2009-03-13 10:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-20_14.10.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-22 14:01 . 2009-07-22 14:01 16384 c:\windows\Temp\Perflib_Perfdata_4fc.dat
+ 2005-02-01 07:54 . 2009-07-22 14:00 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-01 07:54 . 2009-07-20 13:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-02-01 07:54 . 2009-07-22 14:00 16384 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
- 2005-02-01 07:54 . 2009-07-20 13:51 16384 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2009-07-14 04:24 . 2009-07-21 15:52 16384 c:\windows\system32\config\systemprofile\IETldCach e\index.dat
- 2009-07-14 04:24 . 2009-07-20 13:51 16384 c:\windows\system32\config\systemprofile\IETldCach e\index.dat
+ 2005-02-01 07:54 . 2009-07-22 14:00 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2005-02-01 07:54 . 2009-07-20 13:51 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-07-09 20:37 218160 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-18 160592]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-08-27 970752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE" [2004-03-04 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-24 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\docume~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2008-11-13 323584]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-9 262144]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Euro Gunz Client 8.5.6\\loveur0.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6-2-2009 15:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [6-2-2009 15:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6-2-2009 15:23 727720]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [15-6-2009 23:21 331312]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [25-6-2009 16:53 10384]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [30-1-2009 18:39 33840]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2-7-2009 5:25 25472]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\tkrrkfpfhl.exe service --> c:\windows\TEMP\tkrrkfpfhl.exe service [?]
S2 nmghcslqv;Boot Helper;c:\windows\system32\svchost.exe -k netsvcs [2-2-2005 0:32 14336]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\G ameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [2-7-2009 5:26 57640]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [19-3-2009 16:48 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys --> c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [14-7-2009 19:32 356920]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nmghcslqv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.startpagina.nl/
uInternet Connection Wizard,ShellNext = hxxp://www.paradigit.nl/
uInternet Settings,ProxyOverride = <local>
IE: Formulieren opslaan - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Invul Formulieren - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Menu aanpassen - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RoboForm Werkbalk - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: {B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04} = 213.46.228.196,62.179.104.196
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\docume~1\Eigenaar\APPLIC~1\Mozilla\Firefox\Prof iles\wjxqmnar.default\
FF - prefs.js: browser.startup.homepage - startpagina.nl
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 16:19
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden:
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(1448)
geyekrdlxmqlkj.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Voltooingstijd: 2009-07-22 16:26
ComboFix-quarantined-files.txt 2009-07-22 14:26
ComboFix2.txt 2009-07-20 14:16
ComboFix3.txt 2009-07-16 20:40
Pre-Run: 20.089.970.688 bytes beschikbaar
Post-Run: 20.127.010.816 bytes beschikbaar
241 --- E O F --- 2009-07-15 16:09
Roelof 23 July 2009, 08:11 Hoi,
Ik neem het even over omdat Tommie ziek geworden is.
Open Kladblok.
Kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
Rootkit::
C:\Windows\system32\geyekrdlxmqlkj. dll
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThis log.
Roelof
SuriNaruto 23 July 2009, 15:23 oke hoi,
Ik heb weer een nieuwe virus dat is dit dus ik heb er in totaal:
http://i31.tinypic.com/hvsdi8.jpg
http://i32.tinypic.com/11gua1f.jpg(Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean )
en toen ik die fix deed wat je zei roelof was hij aan het scannen enzo en kreeg ik uit het niks BSOD.
Dus moet ik het over nieuw doen of iets anders?
Roelof 23 July 2009, 15:56 Open Kladblok.
Kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
Rootkit::
C:\Windows\system32\geyekrdlxmqlkj.dll
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThis log.
SuriNaruto 23 July 2009, 20:01 hier zijn de logs maar dnk niet dat het heeft gewerkt want ik krijg weer de zelfde 2 meldingen zoals heir bove ^:
ComboFix 09-07-22.07 - Eigenaar 23-07-2009 16:56.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.479.194 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eigenaar\ayfkadw.exe
c:\windows\msa.exe
c:\windows\system32\2676968.dll
c:\windows\system32\kr_done1
c:\windows\system32\msxml71.dll
c:\windows\system32\qgc3ndj0epf5.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\sgc7ndj0epf5.dll
.
---- Voorgaande Run -------
.
c:\documents and settings\Eigenaar\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
Besmet exemplaar van c:\windows\system32\drivers\beep.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - c:\windows\system32\dllcache\beep.sys
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-06-23 to 2009-07-23 ))))))))))))))))))))))))))))))
.
2009-07-23 13:54 . 2009-07-23 13:54 29184 ---h--w- c:\documents and settings\Eigenaar\nbqedt.exe
2009-07-23 13:54 . 2009-07-23 13:54 29184 ----a-w- c:\windows\system32\kfxor.exe
2009-07-23 13:47 . 2009-01-22 00:40 163840 ----a-w- c:\windows\system32\SecureNet.dll
2009-07-23 13:46 . 2009-07-23 13:47 -------- d-----w- c:\program files\Hide My IP 2009
2009-07-21 16:07 . 2009-07-21 16:08 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Belastingdienst
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 17:54 . 2009-07-15 17:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-15 17:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 14:23 . 2009-07-23 14:35 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-07-15 14:22 . 2009-07-15 14:22 -------- d-sh--w- c:\documents and settings\Eigenaar\IECompatCache
2009-07-14 17:32 . 2009-07-14 17:41 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-07-14 17:32 . 2009-07-14 17:41 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-07-14 17:32 . 2009-07-14 17:41 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-07-14 17:32 . 2008-06-02 13:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-07-14 17:32 . 2009-07-14 17:47 -------- d-----w- c:\program files\Spyware Doctor
2009-07-14 17:32 . 2009-07-14 17:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\PC Tools
2009-07-14 04:24 . 2009-07-14 04:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCach e
2009-07-12 12:29 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-12 12:29 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-12 12:29 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-12 12:29 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-12 12:27 . 2008-03-05 14:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-07-12 12:26 . 2007-04-04 16:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-07-12 12:12 . 2009-07-12 12:25 -------- d--h--w- c:\windows\msdownld.tmp
2009-07-12 12:11 . 2009-07-12 12:11 -------- d-----w- c:\windows\Logs
2009-07-09 15:55 . 2009-07-09 15:55 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\PCHealth
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- C:\ijji
2009-07-08 15:37 . 2009-01-28 12:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-08 15:37 . 2008-06-11 21:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\NHN USA
2009-07-08 15:37 . 2009-05-26 15:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-08 15:37 . 2009-05-12 18:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-07 11:22 . 2009-07-07 11:22 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Megaupload
2009-07-07 10:09 . 2009-07-07 10:28 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2009-07-05 11:27 . 2009-07-05 11:27 -------- d-sh--w- c:\documents and settings\Eigenaar\PrivacIE
2009-07-05 11:03 . 2009-07-05 11:06 -------- dc-h--w- c:\windows\ie8
2009-07-04 19:28 . 2009-07-04 19:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 18:58 . 2009-07-04 18:58 -------- d-sh--w- c:\documents and settings\Eigenaar\IETldCache
2009-07-04 18:54 . 2009-07-05 16:07 -------- d-----w- c:\windows\ie8updates
2009-07-04 18:47 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 18:47 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 18:47 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-02 03:25 . 2009-07-02 03:25 25472 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-06-30 14:27 . 2009-06-30 14:27 -------- d-----w- c:\program files\PFPortChecker
2009-06-27 20:24 . 2009-06-27 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\TomTom
2009-06-27 20:23 . 2009-06-27 20:23 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\TomTom
2009-06-27 20:09 . 2009-06-27 20:09 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-06-25 17:53 . 2009-07-02 09:07 -------- d-----w- c:\program files\LcdStudio
2009-06-25 14:58 . 2009-06-25 14:59 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\Logitech
2009-06-25 14:57 . 2009-06-25 14:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Logitech
2009-06-25 14:54 . 2009-06-25 14:54 -------- d-----w- c:\documents and settings\Eigenaar\Local Settings\Application Data\LogiShrd
2009-06-25 14:53 . 2008-09-26 07:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-06-25 14:50 . 2009-06-25 14:51 -------- d-----w- c:\program files\Common Files\Logishrd
2009-06-25 14:50 . 2009-06-25 14:57 -------- d-----w- c:\program files\Logitech
2009-06-25 14:49 . 2009-06-25 14:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LogiShrd
2009-06-24 16:16 . 2004-08-03 23:03 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-06-24 16:16 . 2004-08-03 23:03 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-06-24 16:16 . 2004-08-03 22:57 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-06-24 16:16 . 2004-08-03 22:57 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-21 18:30 . 2008-11-09 17:20 12426 ----a-w- c:\documents and settings\Eigenaar\Application Data\wklnhst.dat
2009-07-20 22:22 . 2009-06-19 11:52 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\dvdcss
2009-07-18 15:40 . 2009-03-30 12:10 -------- d-----w- c:\program files\PokerStars
2009-07-18 15:05 . 2009-06-12 17:43 -------- d-----w- c:\program files\PhotoScape
2009-07-15 18:29 . 2009-04-10 15:16 -------- d-----w- c:\program files\Euro Gunz Client 8.5.6
2009-07-15 14:10 . 2009-05-16 16:35 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-14 17:59 . 2005-02-01 22:32 86442 ----a-w- c:\windows\system32\perfc013.dat
2009-07-14 17:59 . 2005-02-01 22:32 499456 ----a-w- c:\windows\system32\perfh013.dat
2009-07-08 15:37 . 2008-11-09 17:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-04 19:44 . 2009-04-12 13:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\IJJIGame
2009-07-04 13:26 . 2009-04-20 12:46 -------- d-----w- c:\program files\StepMania
2009-07-03 22:22 . 2008-11-09 18:32 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\uTorrent
2009-07-02 02:34 . 2009-01-30 16:39 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-30 11:18 . 2009-03-04 10:59 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\U3
2009-06-30 11:12 . 2008-11-10 11:43 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\AdobeUM
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_0 1005.Wdf
2009-06-25 14:53 . 2009-06-25 14:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_C oinstaller_Critical.Wdf
2009-06-16 14:55 . 2005-02-01 22:32 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-02-01 22:31 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 12:41 . 2008-11-09 17:14 62744 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 12:14 . 2008-11-10 11:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-13 12:12 . 2009-06-13 12:12 -------- d-----w- c:\program files\Adobe Media Player
2009-06-12 14:49 . 2009-06-12 14:49 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-11 12:14 . 2009-01-19 19:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-06-09 18:35 . 2009-06-09 18:35 0 ----a-w- c:\windows\system32\cd.dat
2009-06-03 19:27 . 2005-02-01 22:31 1294848 ----a-w- c:\windows\system32\quartz.dll
2009-05-29 10:41 . 2009-05-12 10:01 139 ----a-w- C:\chardump.bin
2009-05-13 05:06 . 2005-02-01 22:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2005-02-01 22:31 345600 ----a-w- c:\windows\system32\localspl.dll
2009-02-18 11:11 . 2009-02-18 11:11 3072 --sha-w- c:\program files\Thumbs.db
2009-06-12 16:03 . 2009-03-13 10:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
------- Sigcheck -------
[-] 2008-04-14 17:03 14336 E410EC73E2BE2A41D923B006F51C8427 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\svchost.exe
[-] 2004-08-04 19:00 17408 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\svchost.exe
[7] 2004-08-04 19:00 14336 AB8C6D89A897BACBA4657FDF00E344A6 c:\windows\system32\dllcache\cache\svchost.exe
[-] 2008-04-14 17:03 510464 1247D4D5444E28519BBE31BE8AB4C029 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\winlogon.exe
[-] 2004-08-04 19:00 506368 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\winlogon.exe
[7] 2004-08-04 19:00 504832 732ED791711DF9C9DD15E5515BC681B8 c:\windows\system32\dllcache\cache\winlogon.exe
[-] 2007-06-13 13:24 1039360 D41D8CD98F00B204E9800998ECF8427E c:\windows\explorer.exe
[7] 2007-06-13 13:12 1036800 1D6245AFBD3FAABC16A885116BE1874D c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 19:00 1035776 A1D7304A87FC3093150F5E3CC7B0F338 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 17:02 1037312 AA04F042A820BF1868E643575887E1A6 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\explorer.exe
[7] 2007-06-13 13:24 1036800 147E95A42A58CE99E403F7F57656BBEB c:\windows\system32\dllcache\cache\explorer.exe
[7] 2009-02-09 09:56 111104 CE06E39F34BBF6B0ADA70F37F70CF0D8 c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[7] 2009-02-09 11:27 111104 657B69389B893F440B07590C9E963F23 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-09 11:19 111104 D98A222A707FFE40043E533FE7A6BA24 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-04 19:00 108544 39991CD3C17B7529D039151A88E84499 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 17:03 109056 B77BC5CD88EB96D4352AF5202EC4AEC2 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\services.exe
[-] 2009-02-09 10:11 113152 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\services.exe
[7] 2009-02-09 10:11 111104 1A00FCECA4E29A6B4B33A9D0B3E7CBA0 c:\windows\system32\dllcache\cache\services.exe
[-] 2008-04-14 17:03 13312 8754210A3399D19610CE2D71E0C3E5D9 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\lsass.exe
[-] 2004-08-04 19:00 14848 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\lsass.exe
[7] 2004-08-04 19:00 13312 34A82DEBEFB057FCCCBE15F619FC98A7 c:\windows\system32\dllcache\cache\lsass.exe
[7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[7] 2004-08-04 19:00 57856 CCCB8B94B17466EFB9DC27F42625B0E5 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 17:03 57856 DB454135DE1A09FE7FEDA7B554B5CCA2 c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\spoolsv.exe
[-] 2005-06-10 23:53 58880 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\spoolsv.exe
[7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\dllcache\cache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-18 160592]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-08-27 970752]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE" [2004-03-04 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-24 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" [2008-08-14 611712]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-10-10 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\docume~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2008-11-13 323584]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-11-9 262144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"yjxkYziXzMxDubb"= {48FC1B42-E256-B1E8-A1B0-E0246E141073} - c:\windows\system32\junwq.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\beep.sys]
@="beep"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Euro Gunz Client 8.5.6\\loveur0.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager .exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Documents and Settings\\Eigenaar\\nbqedt.exe"=
"c:\\WINDOWS\\system32\\kfxor.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6-2-2009 15:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfw tdir.sys [6-2-2009 15:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6-2-2009 15:23 727720]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [25-6-2009 16:53 10384]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [30-1-2009 18:39 33840]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2009\SecureSrv.exe [23-7-2009 15:46 1691648]
S2 AlerterALG;Alerter AlerterALG;c:\windows\TEMP\tkrrkfpfhl.exe service --> c:\windows\TEMP\tkrrkfpfhl.exe service [?]
S2 nmghcslqv;Boot Helper;c:\windows\system32\svchost.exe -k netsvcs [2-2-2005 0:32 17408]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [19-3-2009 16:48 29184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys --> c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [14-7-2009 19:32 356920]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2-7-2009 5:25 25472]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nmghcslqv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS VERWIJDERD - - - -
HKLM-Run-rgc5ndj0epf5 - c:\windows\system32\qgc3ndj0epf5.exe
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.startpagina.nl/
uInternet Connection Wizard,ShellNext = hxxp://www.paradigit.nl/
IE: Formulieren opslaan - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Invul Formulieren - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Menu aanpassen - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: RoboForm Werkbalk - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
LSP: c:\windows\system32\SecureNet.dll
TCP: {B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04} = 213.46.228.196,62.179.104.196
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\docume~1\Eigenaar\APPLIC~1\Mozilla\Firefox\Prof iles\wjxqmnar.default\
FF - prefs.js: browser.startup.homepage - startpagina.nl
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 17:19
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden:
************************************************** ************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(1128)
geyekrdlxmqlkj.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'lsass.exe'(1200)
geyekrdlxmqlkj.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\windows\system32\SecureNet.dll
- - - - - - - > 'explorer.exe'(2716)
geyekrdlxmqlkj.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll (file://\\?\globalroot\systemroot\system32\geyekrdlxmqlkj. dll)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDRSS.exe
c:\program files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
c:\program files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
c:\program files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
c:\windows\system32\dllhost.exe
.
************************************************** ************************
.
Voltooingstijd: 2009-07-23 17:35 - machine werd herstart
ComboFix-quarantined-files.txt 2009-07-23 15:35
ComboFix2.txt 2009-07-22 14:26
Pre-Run: 20.112.166.912 bytes beschikbaar
Post-Run: 20.166.930.432 bytes beschikbaar
297 --- E O F --- 2009-07-15 16:09
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:46, on 23-7-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDYT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDPictureViewer.exe
C:\Program Files\Logitech\GamePanel Software\Applets\ColorOnly\LCDMovieViewer.exe
C:\Program Files\Hide My IP 2009\SecureSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paradigit.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9 BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.ex e" -launchedbylogin
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SetPointII.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47ED3E8-1BAA-4D1E-902E-DA2D1CCDBE04}: NameServer = 213.46.228.196,62.179.104.196
O21 - SSODL: yjxkYziXzMxDubb - {48FC1B42-E256-B1E8-A1B0-E0246E141073} - C:\WINDOWS\system32\junwq.dll
O23 - Service: Alerter AlerterALG (AlerterALG) - Unknown owner - C:\WINDOWS\TEMP\tkrrkfpfhl.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files\Hide My IP 2009\SecureSrv.exe
--
End of file - 11106 bytes
Roelof 24 July 2009, 09:59 Even nader onderzoek.
1) Ga naar
http://www.bleepingcomputer.com/submit-m...?channel=4 (http://www.bleepingcomputer.com/submit-malware.php?channel=4)
1. In het eerste venstertje (Link to topic where this file was requestedhttp://support.bluemedicine.be/mybb/images/smilies/icon_smile.gif kopieer en plak je deze link :
http://www.minatica.be/showthread.php?p=475145&posted=1#post475145
2. In het tweede venstertje (Browse to the file you want to submit: ) kopieer en plak je : C:\WINDOWS\system32\geyekrdlxmqlkj.dll
3. Klik op de Send file knop
2) Ga naar VirusTotal (http://www.virustotal.com/)
Kopiëer het volgende :
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\svchost.exe
en plak het in het venster onder "Een bestand uploaden", klik op "Bestand versturen" en laat het bestand scannen.
Post het resultaat in je volgende antwoord.
Doe daarna dezelfde stappen voor de volgende bestanden :
c:\windows\system32\svchost.exe
c:\windows\system32\winlogon.exe
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\winlogon.exe
c:\windows\explorer.exe
c:\windows\system32\services.exe
c:\windows\system32\spoolsv.exe
Groetjes,
Roelof
SuriNaruto 24 July 2009, 14:29 1st me pc flipt want opeens valt me internet uit en daarna weer aan maar bij mijn andere pc heb ik gewoon internet.ook had ik vanochtend dat hij windows laat screen kreeg en dat hij opeens opnieuw starte.
hier onder zie je het volgende over hier bove:
Even nader onderzoek.
1) Ga naar
http://www.bleepingcomputer.com/submit-m...?channel=4 (http://www.bleepingcomputer.com/submit-malware.php?channel=4)
1. In het eerste venstertje (Link to topic where this file was requestedhttp://support.bluemedicine.be/mybb/images/smilies/icon_smile.gif kopieer en plak je deze link :
http://www.minatica.be/showthread.ph...d=1#post475145 (http://www.minatica.be/showthread.php?p=475145&posted=1#post475145)
2. In het tweede venstertje (Browse to the file you want to submit: ) kopieer en plak je : C:\WINDOWS\system32\geyekrdlxmqlkj.dll
3. Klik op de Send file knop
dit hier bove heb ik gedaan
2) Ga naar VirusTotal (http://www.virustotal.com/)
Kopiëer het volgende :
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\svchost.exe
en plak het in het venster onder "Een bestand uploaden", klik op "Bestand versturen" en laat het bestand scannen.
Post het resultaat in je volgende antwoord.
dit hier bove zegt mijn pc van bestand niet gevonden control leer of pad goed is enzo en het isgoed.
Doe daarna dezelfde stappen voor de volgende bestanden :
c:\windows\system32\svchost.exe
c:\windows\system32\winlogon.exe
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\winlogon.exe
c:\windows\explorer.exe
c:\windows\system32\services.exe
c:\windows\system32\spoolsv.exe
welke stappen bedoel je hier bove mee moet ik weer die file posten naar beepingpcs en ook virus totaal ik snap niet welke zelfde stappe ik moet deon?
Roelof 24 July 2009, 14:43 Hoi,
Nee hoor.
Even goed lezen.
Je moet een file nl. C:\WINDOWS\system32\geyekrdlxmqlkj.dll uploaden naar Bleeping computer.
De andere file's moet je sturen naar Virustotal maar wel een voor een.
En dan de logjes die je dan ziet, hier even posten.
Roelof
SuriNaruto 24 July 2009, 14:47 okeez
en ik heb een probleem ik heb nu aleeen internet als ik het in veiligheids modus met netwerkmogelijkheden doe.
dus ik heb geen internet als mijn windows normaal is.
Roelof 24 July 2009, 14:50 Oke,
Dan mag je de stappen nemen in de veilige modus.
Roelof
SuriNaruto 24 July 2009, 14:57 ongveer 10 min dus blijf ff online :P
SuriNaruto 24 July 2009, 15:04 edit:hoe krijg ik me internet op normal mode terug iets blokeert mijn internet ik denk de virussen
oke hieer zijn ze bij wepagina niet weergeven heb ik het vaker geprobeerd
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\svchost.exe
het bestands naam is incorrect ectra kan het niet vinde
c:\windows\system32\svchost.exe :
De webpagina kan niet worden weergegeven
c:\windows\system32\winlogon.exe
De webpagina kan niet worden weergegeven
c:\windows\SoftwareDistribution\Download\aee19adb2 197806ea4ec93d862e466c2\winlogon.exe
het bestands naam is incorrect ectra kan het niet vinde
c:\windows\explorer.exe
De webpagina kan niet worden weergegeven
c:\windows\system32\services.exe
De webpagina kan niet worden weergegeven
c:\windows\system32\spoolsv.exe:
Bestand spoolsv.exe ontvangen op 2009.07.24 13:01:40 (UTC)
Huidig status: Einde
Resultaat: 35/41 (85.37%)
Geformatteerd Resultaten afdrukken Antivirus Versie Laatst geüpdatet Resultaat
a-squared 4.5.0.24 2009.07.24 Virus.Win32.SdBot!IK
AhnLab-V3 5.0.0.2 2009.07.24 Win32/Liger
AntiVir 7.9.0.228 2009.07.24 HEUR/Malware
Antiy-AVL 2.0.3.7 2009.07.24 Trojan/Win32.Patched.gen
Authentium 5.1.2.4 2009.07.24 W32/Patched.D.gen!Eldorado
Avast 4.8.1335.0 2009.07.24 Win32:Patched-CK
AVG 8.5.0.387 2009.07.24 Win32/PEPatch.AO
BitDefender 7.2 2009.07.24 Trojan.Patched.U
CAT-QuickHeal 10.00 2009.07.24 Trojan.Patched.AA
ClamAV 0.94.1 2009.07.24 Trojan.Agent-5069
Comodo 1749 2009.07.24 -
DrWeb 5.0.0.12182 2009.07.24 Trojan.Starter.384
eSafe 7.0.17.0 2009.07.23 -
eTrust-Vet 31.6.6637 2009.07.24 Win32/Donise.H
F-Prot 4.4.4.56 2009.07.23 W32/Patched.D.gen!Eldorado
F-Secure 8.0.14470.0 2009.07.24 Trojan.Win32.Patched.aa
Fortinet 3.120.0.0 2009.07.24 W32/Patched.CX
GData 19 2009.07.24 Trojan.Patched.U
Ikarus T3.1.1.64.0 2009.07.24 Virus.Win32.SdBot
Jiangmin 11.0.800 2009.07.24 Win32/InfectExplorer.c
K7AntiVirus 7.10.801 2009.07.24 -
Kaspersky 7.0.0.125 2009.07.24 Trojan.Win32.Patched.aa
McAfee 5686 2009.07.23 W32/PEPatcher.c
McAfee+Artemis 5686 2009.07.23 W32/PEPatcher.c
McAfee-GW-Edition 6.8.5 2009.07.24 Heuristic.Malware
Microsoft 1.4903 2009.07.24 TrojanDownloader:Win32/Donise.C!patched
NOD32 4274 2009.07.24 Win32/TrojanProxy.Agent.NCI
Norman 6.01.09 2009.07.22 W32/Smalltroj.DECI
nProtect 2009.1.8.0 2009.07.24 Virus/W32.Patched.G
Panda 10.0.0.14 2009.07.24 W32/PatchLog.gen
PCTools 4.4.2.0 2009.07.24 Win32.Agent.IMP
Prevx 3.0 2009.07.24 -
Rising 21.39.43.00 2009.07.24 Trojan.Win32.Patched.aa
Sophos 4.44.0 2009.07.24 W32/Liger-A
Sunbelt 3.2.1858.2 2009.07.23 -
Symantec 1.4.4.12 2009.07.24 Trojan.Patchep!inf
TheHacker 6.3.4.3.373 2009.07.24 W32/PEPatcher.gen
TrendMicro 8.950.0.1094 2009.07.24 PE_PATCHEP.A
VBA32 3.12.10.9 2009.07.24 -
ViRobot 2009.7.24.1851 2009.07.24 Win32.Patched.C
VirusBuster 4.6.5.0 2009.07.23 Win32.Agent.IMP
Extra informatie
File size: 58880 bytes
MD5 : dda17bfb13647647e12c738218341cef
SHA1 : 3b01fd4153cc34768975383dbc3bf4f5287f9a72
SHA256: 37abb5eb545d3574444382c5c66e584a82c2f785a5c130770d 4e1c51b1ca68a1
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10000
timedatestamp.....: 0x42AA27FC (Sat Jun 11 01:53:32 2005)
machinetype.......: 0x14C (Intel I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xBA70 0xBC00 5.93 70ace146704d1e88dc38fe6de39d5234
.data 0xD000 0x13B4 0x1400 2.24 0fa5684c132ff9a6ade42f1de6a4ea4b
.rsrc 0xF000 0x2000 0x1200 5.49 b0ebe199a3b70c7a08da8aa9598c6edb
( 6 imports )
> advapi32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
> gdi32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage
> kernel32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW
> msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3
> ntdll.dll: RtlValidRelativeSecurityDescriptor
> rpcrt4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen
( 1 exports )
> YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter
TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 768:rE4EVpgSav2lAMm1yMvsC0C+H8O+j8f1b1mDV3D+JMig/FrVJigo:agSrlAMmxUCxOUVQgd+go
PEiD : -
RDS : NSRL Reference Data Set
-
SuriNaruto 24 July 2009, 15:34 dit is echt ***** ik heb internet maar alleen in veiligheidsmodus met netwerkinstellingen maar bij normal mode heb ik het niet hoe komt dat ....
Roelof 24 July 2009, 18:37 Hoi,
We zijn even bezig met een fix.
Alleen dit kan nog even duren omdat je computer aardig besmet is.
Roelof
SuriNaruto 24 July 2009, 18:45 okeez dankje wel dan kijk ik later wel weer :P
Roelof 24 July 2009, 19:15 Hoi,
Wil je nu precies doen wat ik zeg anders gaat het echt fout.
1) Verwijder de oude versie van Combofix.
2) Download Combofix vanaf deze locatie : http://download.bleepingcomputer.com/sUBs/ComboFix.exe
3) Schakel je virusscanner uit.
4) Open Kladblok, kopiëer en plak de onderstaande vette tekst in een leeg venster:
File::
c:\documents and settings\Eigenaar\nbqedt.exe
c:\windows\system32\kfxor.exe
c:\windows\TEMP\tkrrkfpfhl.exe
c:\documents and settings\Eigenaar\Bureaublad\michael\RohanBotEn1.0 .24\NtProcDrv.sys
c:\windows\system32\junwq.dll
C:\WINDOWS\system32\geyekrdlxmqlkj.dll
Driver::
AlerterALG
NTProcDrv
nmghcslqv
npggsvc
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"yjxkYziXzMxDubb"= -
NetSvcs::
nmghcslqv
FCOPY::
c:\windows\system32\dllcache\cache\svchost.exe|c:\ windows\system32\svchost.exe
c:\windows\system32\dllcache\cache\winlogon.exe|c: \windows\system32\winlogon.exe
c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe|c :\windows\explorer.exe
c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe|c :\windows\system32\services.exe
c:\windows\system32\dllcache\cache\lsass.exe|c:\wi ndows\system32\lsass.exe
c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe|c: \windows\system32\spoolsv.exe
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.
SuriNaruto 24 July 2009, 20:59 moet ik dit in normal mode doen of mag het ook in safemode met netwerkinstellingen?
Roelof 24 July 2009, 22:29 Hoi,
Probeer maar eerst even de normale modus.
Roelof
SuriNaruto 26 July 2009, 19:02 ik kweet niet wat er is gebeurt maar heb exact gedaan wat je zei en toen cf ging scannen heb ik het gelaten toen ik terug kwam heb ik gemerkt dat mijn besturingsysteem weg was want hij restarte steeds opnieuw.
ik heb mijn eigen besturing systeem op een cd voor en geval als dit dus had ik een paar belangerijke bestanden verplaats op externe harde schijf en geformateerd.
Dus
/end
Roelof 26 July 2009, 19:20 Oke,
heel jammer.
Maar het zij zo.
Roelof
|
|