Archief - beeld scherm pincushion probleem na virus infectie

Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.

eliot

Legacy Member
een weekje geleden had mijn zus een virus gedownload genaamt 'anti spyware 2009' oftewel 'sysgaurd.exe' die had ik dan wel verwijderd met Malwarebytes' Anti-Malware en Spybot - Search & Destroy nadat ie terug kwam na 8 uur ofzo

helaas blijkt er nog schade tezijn of er is nog ergens iets verstop van deze infectie die helaas mijn beeld scherm scheef maakt met pincushion enzo helaas zijn de OSD settings voor deze nog de huidige en helpt het niets om ze zelf te veranderen dit is heel vervelend :( dus ja hier is mijn HijackThis log redelijk klein..

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:14, on 11/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logical Disk Manager (dmserver)  - Unknown owner - C:\Program Files\webserv\webserv.exe (file missing)
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4442 bytes

Juisterr

Legacy Member
Download Combofix naar je Bureaublad en gebruik het volgens deze handleiding.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
  • Dubbelklik op Combofix.exe om het te starten.
  • Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
  • Klik op OK in het "NirCmd" venstertje.
  • Klik na afloop terug op Ja om het scannen op malware te starten.
  • Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
  • Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
Post dit logje in je volgende antwoord

eliot

Legacy Member
ComboFix 09-03-10.03 - Gebruiker 2009-03-12 15:04:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1023.593 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Gebruiker\Bureaublad\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\plugins\npclntax.dll
c:\program files\system\smss.exe.assembly
c:\windows\system\oeminfo.ini

----- BITS: Mogelijk geïnfecteerde sites -----

hxxp://showlis.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LOGICAL_DISK_MANAGER_(DMSERVER)_
-------\Service_Logical Disk Manager (dmserver)


(((((((((((((((((((( Bestanden Gemaakt van 2009-02-12 to 2009-03-12 ))))))))))))))))))))))))))))))
.

2009-03-08 13:22 . 2009-03-08 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-08 07:21 . 2009-03-08 07:21 <DIR> d-------- C:\Logs
2009-03-08 03:25 . 2009-03-08 03:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-08 03:15 . 2009-03-08 12:00 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-05 02:20 . 2009-03-05 02:20 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\Power Mixer
2009-03-05 02:18 . 2009-03-05 02:18 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\VolumeLock
2009-03-04 15:24 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-03 23:09 . 2009-03-12 13:18 <DIR> dr-h----- c:\documents and settings\Gebruiker\Onlangs geopend
2009-03-03 12:51 . 2009-03-03 12:51 0 --a------ c:\windows\system32\nfr.gpref
2009-03-03 12:50 . 2009-03-03 12:50 1 --a------ c:\windows\9gdfgjf23
2009-03-03 12:50 . 2009-03-03 12:50 0 --a------ c:\windows\system32\nfr.assembly
2009-02-26 19:46 . 2009-02-26 19:46 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-02-26 12:41 . 2009-02-26 12:41 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\id Software
2009-02-26 12:40 . 2009-02-26 12:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-02-26 12:40 . 2009-02-26 12:40 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-02-21 20:21 . 2009-02-21 20:21 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-02-21 20:21 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-13 08:18 . 2009-02-13 08:18 <DIR> d-------- c:\program files\Ventrilo
2009-02-13 08:18 . 2009-02-13 08:18 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-02-12 20:40 . 2009-02-12 20:40 82,016 --a------ c:\documents and settings\Gebruiker\Application Data\GDIPFONTCACHEV1.DAT

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 14:05 --------- d-----w c:\program files\System
2009-03-12 02:22 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Xfire
2009-03-12 00:29 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Volume Logic iTunes Plug-in
2009-03-11 15:11 --------- d-----w c:\documents and settings\ROMEO\Application Data\AdobeUM
2009-03-09 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 11:51 --------- d-----w c:\program files\ATI Technologies
2009-03-08 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 18:19 --------- d-----w c:\program files\Warcraft III
2009-03-05 18:18 --------- d-s---w c:\program files\Xfire
2009-03-03 18:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 17:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-26 11:40 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-26 11:40 22,328 ----a-w c:\documents and settings\Gebruiker\Application Data\PnkBstrK.sys
2009-02-22 12:42 --------- d-----w c:\documents and settings\ROMEO\Application Data\Volume Logic iTunes Plug-in
2009-02-21 19:22 --------- d-----w c:\program files\Microsoft
2009-02-21 19:21 --------- d-----w c:\program files\Windows Live
2009-02-21 19:20 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-18 16:14 --------- d-----w c:\documents and settings\Gebruiker\Application Data\uTorrent
2009-02-13 07:20 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Ventrilo
2009-02-13 07:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 18:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-01-30 16:13 --------- d-----w c:\program files\Trillian
2009-01-30 03:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-30 02:57 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-30 02:57 --------- d-----w c:\program files\backburner 2
2009-01-30 01:20 --------- d-----w c:\program files\CCleaner
2009-01-30 01:18 --------- d-----w c:\program files\Java
2009-01-21 22:47 --------- d-----w c:\program files\ConTEXT
2008-01-14 15:00 25,600 ----a-w c:\documents and settings\Gebruiker\usbsermptxp.sys
2008-01-14 15:00 22,768 ----a-w c:\documents and settings\Gebruiker\usbsermpt.sys
2007-11-11 21:34 357 ----a-w c:\documents and settings\Gebruiker\.cb_layout.bin
2005-10-10 02:24 5,805 --sha-w c:\windows\system32\tratsniw.dat
2008-10-21 09:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008102120081022\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-09-02 83968]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Gebruiker^Menu Start^Programma's^Opstarten^BHODemon 2.0.lnk]
path=c:\documents and settings\Gebruiker\Menu Start\Programma's\Opstarten\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Gebruiker\\OctoshapeClient.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"f:\\Quake 3 Arena\\quake3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\Gebruiker\\Mijn documenten\\Unzipped\\kaillerasrv-0.86-win32\\kaillerasrv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\UT2004\\System\\UCC.exe"=
"c:\\Documents and Settings\\Gebruiker\\Mijn documenten\\Project Sources\\Unreal Engine Exploits\\UnrealFP\\unrealfp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"f:\\Program Files\\Crazybump\\cb.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"f:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"80:TCP"= 80:TCP:nfr
"7070:TCP"= 7070:TCP:nfr

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-21 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 suZFSJbF;suZFSJbF;\??\f:\mhs\RYLUJCC --> f:\mhs\RYLUJCC [?]
S4 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]
S4 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S4 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Gebruiker\Bureaublad\NtProcDrv.sys --> c:\documents and settings\Gebruiker\Bureaublad\NtProcDrv.sys [?]
S4 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\VCdRom.sys --> c:\windows\VCdRom.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad3741c2-9bfd-11dd-959a-00195bcf7ee8}]
\Shell\AutoRun\command - i:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d85898-618b-11db-9093-0040f451efe3}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Inhoud van de 'Gedeelde Taken' map

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-AdobeBridge - (no file)


.
------- Bijkomende Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Gebruiker\Application Data\Mozilla\Firefox\Profiles\712u5vna.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - 9lives - Games, community: spelletjes, populaire spelletjes, gamenieuws, reviews, previews, populaire games, gamecharts, releasedata van de nieuwste games en jongerenforum!
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Gebruiker\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Gebruiker\Mijn documenten\Mijn afbeeldingen\Picasa\Screensaver\Picasa3\npPicasa3.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\npoctoshape.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npggplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoctoshape.dll
FF - plugin: c:\program files\MOZILLA FIREFOX\plugins\npoctoshape.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Gebruiker\octoprogram-L03-N00-U00-C00_0803260_000\npoctoshape.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 15:15:56
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL51"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\suZFSJbF]
"ImagePath"="\??\f:\mhs\RYLUJCC"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{27AB952D-BF0F-B6CF-E534-1F97A06D8D6E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72CDC34A-1D20-B188-FAB6-167D5BAE1CBE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabopknalhjaebgnkd"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00
"haholpkolgoppgda"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{72CDC34A-1D20-B188-FAB6-167D5BAE1CBE}\InProcServer32*]
"jalnhninjcoapkfmnacg"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,
63,00,00
"ialnbpkhlemiamphja"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00
"cblnioehiidokmnfmbpmmdfobbipdiokmkakoi"=hex:63,62,6b,69,67,6c,67,66,63,6a,6a,
69,66,6e,68,70,65,6c,6d,70,65,64,62,6a,64,61,69,6a,6e,62,62,70,64,6d,6c,69,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-12 15:21:18 - machine werd herstart [Gebruiker]
ComboFix-quarantined-files.txt 2009-03-12 14:21:16

Pre-Run: 17,184,739,328 bytes beschikbaar
Post-Run: 17,291,771,904 bytes beschikbaar

358 --- E O F --- 2009-02-23 06:05:29
[/CODE]

Juisterr

Legacy Member
Open Kladblok, kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

File::
c:\windows\system32\nfr.gpref
c:\windows\system32\nfr.assembly
c:\windows\9gdfgjf23

Driver::
suZFSJbF
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ad3741c2-9bfd-11dd-959a-00195bcf7ee8}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f6d85898-618b-11db-9093-0040f451efe3}]



Sla dit op op je Bureaublad als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :
CFScript.gif




Dit zal ComboFix doen herstarten.

Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van log.txt in je volgende antwoord.

eliot

Legacy Member
probleem doet zich nog altijd voort.

nieuwe log

ComboFix 09-03-12.01 - Gebruiker 2009-03-13 21:57:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1023.504 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Gebruiker\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Gebruiker\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE ::
c:\windows\9gdfgjf23
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9gdfgjf23
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SUZFSJBF
-------\Service_suZFSJbF


(((((((((((((((((((( Bestanden Gemaakt van 2009-02-13 to 2009-03-13 ))))))))))))))))))))))))))))))
.

2009-03-08 13:22 . 2009-03-08 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-08 07:21 . 2009-03-08 07:21 <DIR> d-------- C:\Logs
2009-03-08 03:25 . 2009-03-08 03:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2009-03-08 03:15 . 2009-03-08 12:00 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-05 02:20 . 2009-03-05 02:20 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\Power Mixer
2009-03-05 02:18 . 2009-03-05 02:18 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\VolumeLock
2009-03-04 15:24 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-03 23:09 . 2009-03-13 12:15 <DIR> dr-h----- c:\documents and settings\Gebruiker\Onlangs geopend
2009-02-26 19:46 . 2009-02-26 19:46 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-02-26 12:41 . 2009-02-26 12:41 <DIR> d-------- c:\documents and settings\Gebruiker\Application Data\id Software
2009-02-26 12:40 . 2009-02-26 12:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\id Software
2009-02-26 12:40 . 2009-02-26 12:40 2,246,144 --a------ c:\windows\system32\pbsvc.exe
2009-02-21 20:21 . 2009-02-21 20:21 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-02-21 20:21 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-13 08:18 . 2009-02-13 08:18 <DIR> d-------- c:\program files\Ventrilo
2009-02-13 08:18 . 2009-02-13 08:18 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 16:16 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Volume Logic iTunes Plug-in
2009-03-13 15:52 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Xfire
2009-03-12 14:05 --------- d-----w c:\program files\System
2009-03-11 15:11 --------- d-----w c:\documents and settings\ROMEO\Application Data\AdobeUM
2009-03-09 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 11:51 --------- d-----w c:\program files\ATI Technologies
2009-03-08 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 18:19 --------- d-----w c:\program files\Warcraft III
2009-03-05 18:18 --------- d-s---w c:\program files\Xfire
2009-03-03 18:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 17:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-26 11:40 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-26 11:40 22,328 ----a-w c:\documents and settings\Gebruiker\Application Data\PnkBstrK.sys
2009-02-22 12:42 --------- d-----w c:\documents and settings\ROMEO\Application Data\Volume Logic iTunes Plug-in
2009-02-21 19:22 --------- d-----w c:\program files\Microsoft
2009-02-21 19:21 --------- d-----w c:\program files\Windows Live
2009-02-21 19:20 --------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-02-20 21:31 --------- d-----w c:\program files\FrostWire
2009-02-18 16:14 --------- d-----w c:\documents and settings\Gebruiker\Application Data\uTorrent
2009-02-13 07:20 --------- d-----w c:\documents and settings\Gebruiker\Application Data\Ventrilo
2009-02-13 07:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-12 19:40 82,016 ----a-w c:\documents and settings\Gebruiker\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-06 18:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-01-30 16:13 --------- d-----w c:\program files\Trillian
2009-01-30 03:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-30 02:57 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-30 02:57 --------- d-----w c:\program files\backburner 2
2009-01-30 01:20 --------- d-----w c:\program files\CCleaner
2009-01-30 01:18 --------- d-----w c:\program files\Java
2009-01-21 22:47 --------- d-----w c:\program files\ConTEXT
2008-01-14 15:00 25,600 ----a-w c:\documents and settings\Gebruiker\usbsermptxp.sys
2008-01-14 15:00 22,768 ----a-w c:\documents and settings\Gebruiker\usbsermpt.sys
2007-11-11 21:34 357 ----a-w c:\documents and settings\Gebruiker\.cb_layout.bin
2005-10-10 02:24 5,805 --sha-w c:\windows\system32\tratsniw.dat
2008-10-21 09:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008102120081022\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_15.20.28.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-13 21:07:17 16,384 ----atw c:\windows\temp\Perflib_Perfdata_76c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-09-02 83968]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Gebruiker^Menu Start^Programma's^Opstarten^BHODemon 2.0.lnk]
path=c:\documents and settings\Gebruiker\Menu Start\Programma's\Opstarten\BHODemon 2.0.lnk
backup=c:\windows\pss\BHODemon 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Gebruiker\\OctoshapeClient.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"f:\\Quake 3 Arena\\quake3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Documents and Settings\\Gebruiker\\Mijn documenten\\Unzipped\\kaillerasrv-0.86-win32\\kaillerasrv.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\UT2004\\System\\UCC.exe"=
"c:\\Documents and Settings\\Gebruiker\\Mijn documenten\\Project Sources\\Unreal Engine Exploits\\UnrealFP\\unrealfp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"f:\\Program Files\\Crazybump\\cb.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"f:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"f:\\Program Files\\Valve\\Steam\\SteamApps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"80:TCP"= 80:TCP:nfr
"7070:TCP"= 7070:TCP:nfr

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-21 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S4 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]
S4 MySQL51;MySQL51;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL51 --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S4 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Gebruiker\Bureaublad\NtProcDrv.sys --> c:\documents and settings\Gebruiker\Bureaublad\NtProcDrv.sys [?]
S4 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\VCdRom.sys --> c:\windows\VCdRom.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad3741c2-9bfd-11dd-959a-00195bcf7ee8}]
\Shell\AutoRun\command - i:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d85898-618b-11db-9093-0040f451efe3}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Inhoud van de 'Gedeelde Taken' map

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Bijkomende Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Gebruiker\Application Data\Mozilla\Firefox\Profiles\712u5vna.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - 9lives - Games, community: spelletjes, populaire spelletjes, gamenieuws, reviews, previews, populaire games, gamecharts, releasedata van de nieuwste games en jongerenforum!
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Gebruiker\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Gebruiker\Mijn documenten\Mijn afbeeldingen\Picasa\Screensaver\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npggplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoctoshape.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Gebruiker\octoprogram-L03-N00-U00-C00_0803260_000\npoctoshape.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 22:07:32
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL51]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL51"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{27AB952D-BF0F-B6CF-E534-1F97A06D8D6E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1757981266-2025429265-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72CDC34A-1D20-B188-FAB6-167D5BAE1CBE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iabopknalhjaebgnkd"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00
"haholpkolgoppgda"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{72CDC34A-1D20-B188-FAB6-167D5BAE1CBE}\InProcServer32*]
"jalnhninjcoapkfmnacg"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,
63,00,00
"ialnbpkhlemiamphja"=hex:69,61,64,66,68,62,6b,6e,65,65,62,69,70,67,6a,62,6b,63,
00,00
"cblnioehiidokmnfmbpmmdfobbipdiokmkakoi"=hex:63,62,6b,69,67,6c,67,66,63,6a,6a,
69,66,6e,68,70,65,6c,6d,70,65,64,62,6a,64,61,69,6a,6e,62,62,70,64,6d,6c,69,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-13 22:12:56 - machine werd herstart [Gebruiker]
ComboFix-quarantined-files.txt 2009-03-13 21:12:54
ComboFix2.txt 2009-03-12 14:21:20

Pre-Run: 17.381.814.272 bytes beschikbaar
Post-Run: 17,373,331,456 bytes beschikbaar

356 --- E O F --- 2009-02-23 06:05:29

Juisterr

Legacy Member
Verwijder ComboFix via Start > Uitvoeren, kopiëer en plak Combofix /U
Klik op OK of toets Enter.
Dit verwijdert zowel ComboFix, als je oude systeemherstelpunten (met eventuele restanten van malware), en maakt een nieuw systeemherstelpunt aan.

CFuninstall.png



Download Dr.Web CureIt en sla het op je bureaublad op.
  • Dubbelklik drweb-cureit.exe en sta het toe om te express scan te starten.
    Indien er een popup verschijnt met het voorstel tot kopen/50% korting mag je deze sluiten.
  • De express scan zal de bestanden scannen die momenteel in het geheugen geladen zijn. Wanneer er iets gevonden wordt klik op 'alles selecteren' kies nu voor 'repareren' en uit het kleine menutje dat verschijnt kies je 'verplaatsen'.
  • Kies bovenaan in het menu voor Language/Taal en wijzig deze naar Dutch (Nederlands) indien deze bij jou anders staat ingesteld.
  • Druk op F9, kies daarna voor het tabblad Acties en stel daar het volgende in onder Malware:
    • Adware: Verplaats
    • Dialers: Verplaats
    • Jokes: Rapportage
    • Riskware: Rapportage
    • Hacktools: Verplaats
    • Haal dan het vinkje weg bij 'Prompt bij actie'.
  • Kies daarna voor het tabblad Scan en verwijder het vinkje bij Heuristische analyse.
    Druk vervolgens op Toepassen gevolgd door OK.
  • Eenmaal als de korte scan is beëindigd vink je aan: Volledige scan.
    Druk daarna op het groene pijltje (start knop) om de scan te starten.
  • Gevonden bestanden worden naar '%USERPROFILE%\DocterWeb\Quarantine' -map verplaatst indien het herstellen niet mogelijk is.
  • Nadat de scan gedaan is ga dan naar Bestand en kies Rapportage lijst opslaan.
    Bewaar deze op je bureaublad en sluit daarna Dr.Web CureIt.
  • Herstart vervolgens de computer!! Dit is een belangrijke stap want het kan zijn dat Dr.Web CureIt bestanden zal verplaatsen/verwijderen tijdens herstart.
  • Na het herstarten, kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

eliot

Legacy Member
log van snelle scan

aytuudxf.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Verwijderd.;
closeapp.exe;C:\WINDOWS\system32;Tool.CloseApp;Verplaatst.;
mbfcmnjx.exe;C:\WINDOWS\system32;Trojan.LowZones.884;Verwijderd.;
desk.dll;C:\WINDOWS\@@@;BackDoor.DarkMoon.41;Verwijderd.;

helaas heb ik een probleem met de volledige scan optie, de scanner loopt vast bij C:\Documents and Settings\Gebruiker\Contacts

er zijn 200,000+ bestanden in die map encrypted en 0kb, van MSN, gewoon veel te groot zelf voor het geheugen en kan ik die niet eens verwijderen tenzij ik dat 1 per 1 zou doen.

eliot

Legacy Member
veilige modus scan:

6 uur duurde dat T_T

jhosuxhv.dll.q_8047641_q;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.Virtumod.based.12;Niet repareerbaar.Verplaatst.;
Rare Recording.wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
Top of Charts - 2003 (raffish).wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
Top of Charts - 2004 (christina).wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
Top of Charts - 2004.wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
Top of Charts - 2005.wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
Wicked Remix.wma;C:\Documents and Settings\Maroefel\Mijn documenten\Mijn ontvangen bestanden;Trojan.DownLoader.61860;Verwijderd.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;;

eliot

Legacy Member
het probleem is er nog altijd maar een ander oud probleem dat ik nog van plan was to posten is nu wel weg dus niet voor niks ^^

ook is het pincushion probleem erger geworden een paar dagen geleden
nu is het precies of de resolutie ook nog eens 800x600 is geworden maar staat nog steeds op normal(1280x1024) :s.
Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.
Terug
Bovenaan