Archief - hjt log - "gratisch scannen" banner

geertz · 4 dec 2007

Ik krijg voortdurend de waarschuwsicoontje "gratisch scannen" rechtsonder naast de klok, en een aantal variaties daarop. Google geeft soms waarschuwen dat mijn pc geïnfecteerd is met Spyware. Heb ook de indruk dat mijn pc trager werkt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:16, on 4/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141} - C:\WINDOWS\System32\dsound3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.jamphat.com/rap/index_files/image065.jpg

--
End of file - 7033 bytes

Jurgenv1 · 5 dec 2007

Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt) Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

geertz · 6 dec 2007

De logjes. Alvast merci trouwens.

Ondertussen heb ik ook last van een Trojan, zegt mijn virusscanner. Generic.xc. Is dat gelinkt aan de vorige problemen?

ComboFix 07-12-02.6 - GeertZ 2007-12-06 20:55:32.2 - NTFSx86 MINIMAL
Gestart vanuit: C:\Documents and Settings\GeertZ\Bureaublad\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\rpcc.dll
.
---- Previous Run -------
.
C:\U.exe
C:\WINDOWS\system32\DefLib.sys
C:\WINDOWS\system32\rsvp322.dll
C:\WINDOWS\system32\rsvp322.dllyrt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\protect

-------\LEGACY_PROTECT
-------\protect

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-06 to 2007-12-06 ))))))))))))))))))))))))))))))
.

2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\36.tmp
2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\35.tmp
2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\34.tmp
2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\33.tmp
2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\32.tmp
2007-12-06 17:26 . 2007-12-06 17:26 0 --a------ C:\31.tmp
2007-12-06 17:25 . 2007-12-06 17:25 0 --a------ C:\30.tmp
2007-12-06 17:25 . 2007-12-06 17:25 0 --a------ C:\2F.tmp
2007-12-06 17:25 . 2007-12-06 17:25 0 --a------ C:\2E.tmp
2007-12-06 17:25 . 2007-12-06 17:25 0 --a------ C:\2D.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\2C.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\2B.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\2A.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\29.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\28.tmp
2007-12-06 17:24 . 2007-12-06 17:24 0 --a------ C:\27.tmp
2007-12-06 17:23 . 2007-12-06 17:23 43,008 --a------ C:\1E.tmp
2007-12-06 17:23 . 2007-12-06 17:23 43,008 --a------ C:\1D.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\26.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\25.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\24.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\23.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\22.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\21.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\20.tmp
2007-12-06 17:23 . 2007-12-06 17:23 0 --a------ C:\1F.tmp
2007-12-06 17:22 . 2007-12-06 17:22 66,048 --a------ C:\16.tmp
2007-12-06 17:22 . 2007-12-06 17:22 46,080 --a------ C:\WINDOWS\system32\pdbcopy.exe
2007-12-06 17:22 . 2007-12-06 17:22 43,520 --a------ C:\Documents and Settings\GeertZ\nax.exe
2007-12-06 17:22 . 2007-12-06 17:22 24,064 --a------ C:\17.tmp
2007-12-06 17:22 . 2007-12-06 17:22 20,992 --a------ C:\1C.tmp
2007-12-06 17:22 . 2007-12-06 17:22 20,992 --a------ C:\1B.tmp
2007-12-06 17:22 . 2007-12-06 17:22 212 --a------ C:\1A.tmp
2007-12-06 17:22 . 2007-12-06 17:22 212 --a------ C:\19.tmp
2007-12-06 17:22 . 2007-12-06 17:22 50 --a------ C:\Documents and Settings\GeertZ\nax.bat
2007-12-06 17:22 . 2007-12-06 17:22 1 --a------ C:\18.tmp
2007-12-06 14:47 . 2007-12-06 14:47 66,048 --a------ C:\5.tmp
2007-12-06 14:47 . 2007-12-06 14:47 59,904 --a------ C:\tmp03sz.exe
2007-12-06 14:47 . 2007-12-06 14:47 46,080 --a------ C:\WINDOWS\system32\undname.exe
2007-12-06 14:47 . 2007-12-06 14:47 1 --a------ C:\7.tmp
2007-12-04 18:42 . 2007-12-04 18:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Grisoft
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 18:12 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 14:36 . 2007-11-20 14:36 <DIR> d-------- C:\Program Files\Sophos
2007-11-19 14:45 . 2007-11-20 17:44 <DIR> d-------- C:\Program Files\Google
2007-11-18 20:55 . 2007-11-18 20:55 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Lavasoft
2007-11-15 00:30 . 2007-11-15 00:30 29,696 --a------ C:\wndelxc.exe
2007-11-14 17:22 . 2002-12-12 00:14 105,728 --a------ C:\WINDOWS\system32\dsound3.3
2007-11-14 17:22 . 2002-12-12 00:14 99,584 --a------ C:\WINDOWS\system32\dsound3.2
2007-11-14 17:22 . 2002-12-12 00:14 99,328 --a------ C:\WINDOWS\system32\dsound3.dll
2007-11-14 17:22 . 2002-12-12 00:14 94,720 --a------ C:\WINDOWS\system32\dsound3.1
2007-11-14 17:22 . 19,456 C:\WINDOWS\system32\drivers\xoywiazg.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 16:22 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2007-11-19 13:45 --------- d-----w C:\Program Files\Java
2007-11-18 19:53 --------- d-----w C:\Program Files\BOINC
2007-11-17 23:54 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-11-17 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-16 14:34 --------- d-----r C:\Documents and Settings\GeertZ\Application Data\Brother
2007-08-29 15:33 18,392 ----a-w C:\Documents and Settings\GeertZ\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 10:11 73,587 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_30_01_03_59_small.dmp.zip
2006-12-27 22:53 17,149,297 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_21_14_43_full.dmp.zip
2006-12-22 19:53 17,340,407 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_20_31_12_full.dmp.zip
2006-12-22 13:07 17,218,698 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_14_05_20_full.dmp.zip
2006-02-18 10:49 4,089,258 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2003-06-03 15:49 448,256 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 15:48 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141}]
2002-12-12 00:14 99328 --a------ C:\WINDOWS\System32\dsound3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-08 13:00]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 06:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-22 20:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 11:38]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-12-07 01:34]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-08 13:00]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-25 16:05:42]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-10-09 12:53:39]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\System32\tcpconn.exe /r
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 21:04:03
Windows 5.1.2600 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

**************************************************************************
.
Voltooingstijd: 2007-12-06 21:05:37 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:06:38, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141} - C:\WINDOWS\System32\dsound3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.jamphat.com/rap/index_files/image065.jpg

--
End of file - 6818 bytes

Jurgenv1 · 7 dec 2007

Download OTMoveIt.exe en plaats het op je bureaublad:

Start OTMoveIt door dubbel te klikken op OTMoveIt.exe
In het linkerpaneel, waar het zegt: Paste List of Files/Folders to be Moved ,kopieer en plak je onderstaand gedeelte:

C:\36.tmp
C:\35.tmp
C:\34.tmp
C:\33.tmp
C:\32.tmp
C:\31.tmp
C:\30.tmp
C:\2F.tmp
C:\2E.tmp
C:\2D.tmp
C:\2C.tmp
C:\2B.tmp
C:\2A.tmp
C:\29.tmp
C:\28.tmp
C:\27.tmp
C:\1E.tmp
C:\1D.tmp
C:\26.tmp
C:\25.tmp
C:\24.tmp
C:\23.tmp
C:\22.tmp
C:\21.tmp
C:\20.tmp
C:\1F.tmp
C:\16.tmp
C:\WINDOWS\system32\pdbcopy.exe
C:\Documents and Settings\GeertZ\nax.exe
C:\17.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\19.tmp
C:\Documents and Settings\GeertZ\nax.bat
C:\18.tmp
C:\5.tmp
C:\tmp03sz.exe
C:\7.tmp
C:\wndelxc.exe
C:\WINDOWS\System32\dsound3.dll

Klik daarna op de knop MoveIt onderaan.
Wanneer voltooid zal het een log aanmaken (********_******.log -- de * staat voor datum en tijd) in de volgende map: C:\_OTMoveIt\MovedFiles.
Post de inhoud daarvan in je volgende bericht

geertz · 7 dec 2007

Voila. Trojan was trouwens Generic.dx.

C:\36.tmp moved successfully.
C:\35.tmp moved successfully.
C:\34.tmp moved successfully.
C:\33.tmp moved successfully.
C:\32.tmp moved successfully.
C:\31.tmp moved successfully.
C:\30.tmp moved successfully.
C:\2F.tmp moved successfully.
C:\2E.tmp moved successfully.
C:\2D.tmp moved successfully.
C:\2C.tmp moved successfully.
C:\2B.tmp moved successfully.
C:\2A.tmp moved successfully.
C:\29.tmp moved successfully.
C:\28.tmp moved successfully.
C:\27.tmp moved successfully.
C:\1E.tmp moved successfully.
C:\1D.tmp moved successfully.
C:\26.tmp moved successfully.
C:\25.tmp moved successfully.
C:\24.tmp moved successfully.
C:\23.tmp moved successfully.
C:\22.tmp moved successfully.
C:\21.tmp moved successfully.
C:\20.tmp moved successfully.
C:\1F.tmp moved successfully.
C:\16.tmp moved successfully.
File move failed. C:\WINDOWS\system32\pdbcopy.exe scheduled to be moved on reboot.
C:\Documents and Settings\GeertZ\nax.exe moved successfully.
C:\17.tmp moved successfully.
C:\1C.tmp moved successfully.
C:\1B.tmp moved successfully.
C:\1A.tmp moved successfully.
C:\19.tmp moved successfully.
C:\Documents and Settings\GeertZ\nax.bat moved successfully.
C:\18.tmp moved successfully.
C:\5.tmp moved successfully.
C:\tmp03sz.exe moved successfully.
C:\7.tmp moved successfully.
C:\wndelxc.exe moved successfully.
C:\WINDOWS\System32\dsound3.dll unregistered successfully.
File move failed. C:\WINDOWS\System32\dsound3.dll scheduled to be moved on reboot.

Created on 12/07/2007 14:12:38

Weet niet of je deze ook moest:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18:59, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141} - C:\WINDOWS\System32\dsound3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.jamphat.com/rap/index_files/image065.jpg

--
End of file - 6818 bytes

Jurgenv1 · 8 dec 2007

Ga naar http://www.virustotal.com/nl/ en upload het volgend bestandje:
C:\WINDOWS\System32\dsound3.dll

Post het resultaat hier.

geertz · 8 dec 2007

Resultaat ziet er een beetje kut uit:

AntiVir 7.6.0.40 2007.12.07 TR/BHO.abo.10
AVG 7.5.0.503 2007.12.08 Generic9.AASP
BitDefender 7.2 2007.12.08 Trojan.Spy.Bzub.NGP
CAT-QuickHeal 9.00 2007.12.08 Trojan.BHO.abo
DrWeb 4.44.0.09170 2007.12.08 Trojan.DownLoader.37561
eTrust-Vet 31.3.5361 2007.12.08 Win32/Kvol!generic
F-Secure 6.70.13030.0 2007.12.08 Trojan.Win32.BHO.abo
Ikarus T3.1.1.12 2007.12.08 Trojan-PWS.Win32.Lmir
Kaspersky 7.0.0.125 2007.12.08 Trojan.Win32.BHO.abo
Microsoft 1.3007 2007.12.08 TrojanSpy:Win32/Bzub.GB.dll
NOD32v2 2711 2007.12.07 Win32/BHO.ABO
Norman 5.80.02 2007.12.07 W32/BHO.ATH
Panda 9.0.0.4 2007.12.08 Adware/AVSystemCare
Prevx1 V2 2007.12.08 Trojan.DoS.Win32.Opdos
Sophos 4.24.0 2007.12.08 Troj/BHO-EE
Symantec 10 2007.12.08 Trojan Horse
TheHacker 6.2.9.153 2007.12.07 Trojan/BHO.abo
VBA32 3.12.2.5 2007.12.07 Trojan.Win32.BHO.abo
VirusBuster 4.3.26:9 2007.12.07 Trojan.BHO.OU
Webwasher-Gateway 6.6.2 2007.12.08 Trojan.BHO.abo.10

Volledig:

Antivirus Versie Laatst geüpdatet Resultaat
AhnLab-V3 2007.12.8.0 2007.12.07 -
AntiVir 7.6.0.40 2007.12.07 TR/BHO.abo.10
Authentium 4.93.8 2007.12.07 -
Avast 4.7.1098.0 2007.12.08 -
AVG 7.5.0.503 2007.12.08 Generic9.AASP
BitDefender 7.2 2007.12.08 Trojan.Spy.Bzub.NGP
CAT-QuickHeal 9.00 2007.12.08 Trojan.BHO.abo
ClamAV 0.91.2 2007.12.08 -
DrWeb 4.44.0.09170 2007.12.08 Trojan.DownLoader.37561
eSafe 7.0.15.0 2007.12.06 -
eTrust-Vet 31.3.5361 2007.12.08 Win32/Kvol!generic
Ewido 4.0 2007.12.08 -
FileAdvisor 1 2007.12.08 -
Fortinet 3.14.0.0 2007.12.08 -
F-Prot 4.4.2.54 2007.12.07 -
F-Secure 6.70.13030.0 2007.12.08 Trojan.Win32.BHO.abo
Ikarus T3.1.1.12 2007.12.08 Trojan-PWS.Win32.Lmir
Kaspersky 7.0.0.125 2007.12.08 Trojan.Win32.BHO.abo
McAfee 5181 2007.12.08 -
Microsoft 1.3007 2007.12.08 TrojanSpy:Win32/Bzub.GB.dll
NOD32v2 2711 2007.12.07 Win32/BHO.ABO
Norman 5.80.02 2007.12.07 W32/BHO.ATH
Panda 9.0.0.4 2007.12.08 Adware/AVSystemCare
Prevx1 V2 2007.12.08 Trojan.DoS.Win32.Opdos
Rising 20.21.42.00 2007.12.07 -
Sophos 4.24.0 2007.12.08 Troj/BHO-EE
Sunbelt 2.2.907.0 2007.12.07 -
Symantec 10 2007.12.08 Trojan Horse
TheHacker 6.2.9.153 2007.12.07 Trojan/BHO.abo
VBA32 3.12.2.5 2007.12.07 Trojan.Win32.BHO.abo
VirusBuster 4.3.26:9 2007.12.07 Trojan.BHO.OU
Webwasher-Gateway 6.6.2 2007.12.08 Trojan.BHO.abo.10
Extra informatie
File size: 99328 bytes
MD5: 09e1da03b0ef1f1d1f9c00bf90eeb895
SHA1: 821fcece6ad2945f5dea8be4ef72ac9c75923314
PEiD: -
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=7A96929F003FE76A84A8016A1DCC05003C179F2D

Jurgenv1 · 8 dec 2007

1. Download The Avenger by Swandog46 naar je Bureaublad.

Klik op Avenger.zip om het uit te pakken naar je bureaublad

2. Nu, start The Avenger door op het icoontje met het zwaard te dubbelklikken.

Onder "Script file to execute" kies "Input Script Manually".
Klik op het vergrootglas icoontje die een niew venster zal openen met de naam "View/edit script"
Kopieer en plak volgend volledig vetgedrukt erin:

Files to delete:
C:\WINDOWS\System32\dsound3.dll

Klik om te vergroten...

Opgelet: Bovenstaande code werd enkel gemaakt voor deze computer/situatie/user. Indien je deze code op een andere computer gebruikt kan het schade toebrengen!
Klik Done
Daarna klik op het Groen verkeerslicht om het script uit te voeren
Antwoord "Yes/Ja" wanneer daarnaar gevraagd wordt.

3. The Avenger zal daarna het volgende doen:

Uw computer herstarten. ( In gevallen waar het script een code bevat met "Drivers to Unload", dan zal The Avenger tweemaal uw systeem herstarten)
Na herstart, zal het vlug een zwart command window openen. Dit is normaal.
Na herstart, zal het een log maken die zal openen met de resultaten van The Avenger. Deze log zal te vinden zijn op C:\avenger.txt
The Avenger maakt ook backups aan met alle bestanden, etc., die eerder werden verwijderd door The Avenger, deze backups bevinden zich op volgende plaats: C:\avenger\backup.zip.

4. Kopieer en plak de inhoud van avenger.txt in je volgende post samen met een nieuw hijackthislog.

geertz · 10 dec 2007

Voila. Mislukt, gok ik.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ktohtkyb

*******************

Script file located at: \??\C:\WINDOWS\System32\rt^elide.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\WINDOWS\System32\dsound3.dll for deletion
Deletion of file C:\WINDOWS\System32\dsound3.dll failed!

Could not process line:
C:\WINDOWS\System32\dsound3.dll
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:45:05, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141} - C:\WINDOWS\System32\dsound3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.jamphat.com/rap/index_files/image065.jpg

--
End of file - 6818 bytes

Jurgenv1 · 10 dec 2007

Kan ik een nieuw logje van combofix zien?

geertz · 10 dec 2007

ComboFix 07-12-02.6 - GeertZ 2007-12-10 13:59:57.3 - NTFSx86
Gestart vanuit: C:\Documents and Settings\GeertZ\Bureaublad\ComboFix.exe
.

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-10 to 2007-12-10 ))))))))))))))))))))))))))))))
.

2007-12-07 14:55 . 2007-12-07 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-04 18:42 . 2007-12-04 18:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Grisoft
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 18:12 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 14:36 . 2007-11-20 14:36 <DIR> d-------- C:\Program Files\Sophos
2007-11-19 14:45 . 2007-11-20 17:44 <DIR> d-------- C:\Program Files\Google
2007-11-18 20:55 . 2007-11-18 20:55 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Lavasoft
2007-11-14 17:22 . 2002-12-12 00:14 105,728 --a------ C:\WINDOWS\system32\dsound3.3
2007-11-14 17:22 . 2002-12-12 00:14 99,584 --a------ C:\WINDOWS\system32\dsound3.2
2007-11-14 17:22 . 2002-12-12 00:14 99,328 --a------ C:\WINDOWS\system32\dsound3.dll
2007-11-14 17:22 . 2002-12-12 00:14 94,720 --a------ C:\WINDOWS\system32\dsound3.1
2007-11-14 17:22 . 19,456 C:\WINDOWS\system32\drivers\xoywiazg.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 16:22 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2007-11-19 13:45 --------- d-----w C:\Program Files\Java
2007-11-18 19:53 --------- d-----w C:\Program Files\BOINC
2007-11-17 23:54 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-11-17 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-16 14:34 --------- d-----r C:\Documents and Settings\GeertZ\Application Data\Brother
2007-08-29 15:33 18,392 ----a-w C:\Documents and Settings\GeertZ\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 10:11 73,587 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_30_01_03_59_small.dmp.zip
2006-12-27 22:53 17,149,297 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_21_14_43_full.dmp.zip
2006-12-22 19:53 17,340,407 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_20_31_12_full.dmp.zip
2006-12-22 13:07 17,218,698 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_14_05_20_full.dmp.zip
2006-02-18 10:49 4,089,258 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2003-06-03 15:49 448,256 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 15:48 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-06_21.04.24.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-08 23:01:24 83,696 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-09-06 15:14:04 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
- 2007-03-08 23:02:10 394,192 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-09-06 15:14:28 395,080 ----a-w C:\WINDOWS\system32\vsdatant.sys
- 2007-03-08 23:01:24 157,424 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-09-06 15:14:04 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
- 2007-03-08 23:01:26 104,176 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-09-06 15:14:04 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
- 2007-03-08 23:01:26 276,208 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-09-06 15:14:04 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
- 2007-03-08 23:01:26 71,408 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-09-06 15:14:04 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
- 2007-03-08 23:01:28 472,816 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-09-06 15:14:06 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
- 2007-03-08 23:01:30 46,832 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-09-06 15:14:06 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
- 2007-03-08 23:01:30 100,080 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2007-09-06 15:14:06 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2007-03-08 23:01:30 83,696 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-09-06 15:14:06 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
- 2007-03-08 23:01:32 71,408 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-09-06 15:14:08 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
- 2007-06-04 22:44:17 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-12-07 13:57:41 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-03-08 23:01:10 362,280 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-09-06 15:13:56 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-30 23:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
- 2006-12-19 17:13:50 61,565 ------w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 23:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
- 2006-12-19 17:13:50 114,813 ------w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 23:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
- 2006-12-19 17:13:50 307,323 ------w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 23:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
- 2006-11-29 21:02:26 36,923 ------w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-05-30 23:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 14:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 14:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-30 23:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 14:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-30 23:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
- 2007-01-11 16:31:04 274,514 ------w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2007-08-24 18:31:48 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2007-07-19 14:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\klif_32.sys
+ 2007-05-30 23:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 23:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
- 2006-11-29 21:02:26 184,445 ------w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 23:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 23:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
- 2006-12-19 17:13:52 94,313 ------w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2007-08-24 18:31:48 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
- 2007-03-08 23:01:10 100,080 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2007-09-06 15:13:56 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
- 2007-03-08 23:01:14 128,744 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-09-06 15:13:58 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
- 2007-03-08 23:01:14 38,640 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-09-06 15:13:58 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
- 2007-03-08 23:01:14 321,280 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-09-06 15:13:58 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
- 2007-03-08 23:02:12 288,408 ------w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-09-06 15:14:30 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
- 2007-03-08 23:02:12 153,240 ------w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-09-06 15:14:30 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
- 2007-03-08 23:02:14 26,264 ------w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-09-06 15:14:30 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
- 2007-03-08 23:02:14 1,361,560 ------w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-09-06 15:14:32 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
- 2007-03-08 23:02:14 71,320 ------w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-09-06 15:14:32 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
- 2007-03-08 23:04:42 30,448 ------w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-09-06 15:15:50 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
- 2007-03-08 23:04:44 30,480 ------w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-09-06 15:15:52 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
- 2007-01-18 04:39:16 714,472 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-08-15 14:45:42 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
- 2007-01-18 04:39:16 677,608 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-08-15 14:45:44 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
- 2007-03-08 23:01:20 173,808 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-09-06 15:14:00 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
- 2007-01-18 04:39:18 1,369,832 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-08-15 14:45:44 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
- 2007-01-18 04:39:20 50,416 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-06-11 11:44:10 50,416 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
- 2007-03-08 23:01:20 456,432 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-09-06 15:14:02 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
- 2007-03-08 23:04:44 210,696 ------w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-09-06 15:15:52 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
- 2007-03-08 23:04:46 3,229,440 ------w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2007-09-06 15:15:54 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
- 2007-06-23 11:18:30 833,248 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-08-01 05:30:04 833,248 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
- 2007-03-08 23:01:58 141,104 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-09-06 15:14:18 149,032 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
- 2007-03-08 23:01:24 108,272 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-09-06 15:14:04 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
- 2007-03-08 23:01:24 79,600 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-09-06 15:14:04 79,336 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
- 2007-03-08 23:01:58 75,568 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-09-06 15:14:18 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
- 2007-03-08 23:01:26 2,025,200 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-09-06 15:14:04 2,024,936 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
- 2007-03-08 23:01:28 1,345,264 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-09-06 15:14:06 1,345,000 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
- 2007-03-08 23:01:28 243,440 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-09-06 15:14:06 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
- 2007-03-08 23:01:32 177,904 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-09-06 15:14:08 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
- 2007-03-08 23:01:32 79,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-09-06 15:14:08 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
- 2007-03-08 23:01:34 378,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-09-06 15:14:08 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
- 2007-03-08 23:01:34 120,560 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2007-09-06 15:14:08 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
- 2007-03-08 23:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
+ 2007-09-06 15:14:12 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
- 2007-03-08 23:02:00 75,512 ----a-w C:\WINDOWS\zllsputility.exe
+ 2007-09-06 15:14:18 75,248 ----a-w C:\WINDOWS\zllsputility.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141}]
2002-12-12 00:14 99328 --a------ C:\WINDOWS\System32\dsound3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-08 13:00]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 06:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-22 20:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 11:38]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-12-07 01:34]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-08 13:00]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-25 16:05:42]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-10-09 12:53:39]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

R0 nzbmxjtk;nzbmxjtk;C:\WINDOWS\System32\drivers\xoywiazg.dat
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\System32\51.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\System32\tcpconn.exe /r
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 14:01:55
Windows 5.1.2600 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-10 14:02:37
C:\ComboFix2.txt ... 2007-12-06 21:05
.
--- E O F ---

Jurgenv1 · 11 dec 2007

Voer eens volgend script in The Avenger:

Files to delete:
C:\WINDOWS\system32\dsound3.3
C:\WINDOWS\system32\dsound3.2
C:\WINDOWS\system32\dsound3.dll
C:\WINDOWS\system32\dsound3.1
C:\WINDOWS\system32\drivers\xoywiazg.dat

geertz · 11 dec 2007

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aurjwfwp

*******************

Script file located at: \??\C:\ndycudkk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\dsound3.3 deleted successfully.
File C:\WINDOWS\system32\dsound3.2 deleted successfully.

Could not open file C:\WINDOWS\system32\dsound3.dll for deletion
Deletion of file C:\WINDOWS\system32\dsound3.dll failed!

Could not process line:
C:\WINDOWS\system32\dsound3.dll
Status: 0xc0000022

File C:\WINDOWS\system32\dsound3.1 deleted successfully.

Could not open file C:\WINDOWS\system32\drivers\xoywiazg.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\xoywiazg.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\xoywiazg.dat
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:51, on 11/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141} - C:\WINDOWS\System32\dsound3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://www.jamphat.com/rap/index_files/image065.jpg

--
End of file - 6819 bytes

ComboFix 07-12-02.6 - GeertZ 2007-12-11 14:33:41.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1043.18.164 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\GeertZ\Bureaublad\ComboFix.exe
.

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))
.

2007-12-07 14:55 . 2007-12-07 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-04 18:42 . 2007-12-04 18:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Grisoft
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 18:12 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-20 14:36 . 2007-11-20 14:36 <DIR> d-------- C:\Program Files\Sophos
2007-11-19 14:45 . 2007-11-20 17:44 <DIR> d-------- C:\Program Files\Google
2007-11-18 20:55 . 2007-11-18 20:55 <DIR> d-------- C:\Documents and Settings\GeertZ\Application Data\Lavasoft
2007-11-14 17:22 . 2002-12-12 00:14 99,328 --a------ C:\WINDOWS\system32\dsound3.dll
2007-11-14 17:22 . 19,456 C:\WINDOWS\system32\drivers\xoywiazg.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 16:22 12,800 ----a-w C:\WINDOWS\system32\svchost.exe
2007-11-19 13:45 --------- d-----w C:\Program Files\Java
2007-11-18 19:53 --------- d-----w C:\Program Files\BOINC
2007-11-17 23:54 --------- d-----w C:\Program Files\Octoshape Streaming Services
2007-11-17 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-16 14:34 --------- d-----r C:\Documents and Settings\GeertZ\Application Data\Brother
2007-08-29 15:33 18,392 ----a-w C:\Documents and Settings\GeertZ\Application Data\GDIPFONTCACHEV1.DAT
2007-07-30 10:11 73,587 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_30_01_03_59_small.dmp.zip
2006-12-27 22:53 17,149,297 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_21_14_43_full.dmp.zip
2006-12-22 19:53 17,340,407 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_20_31_12_full.dmp.zip
2006-12-22 13:07 17,218,698 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_22_14_05_20_full.dmp.zip
2006-02-18 10:49 4,089,258 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2003-06-03 15:49 448,256 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-06-03 15:48 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14C88C23-5FA1-4BC3-BDF1-5B4C13CE4141}]
2002-12-12 00:14 99328 --a------ C:\WINDOWS\System32\dsound3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2003-04-08 13:00]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 06:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-22 20:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 11:38]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-12-07 01:34]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-04-08 13:00]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-25 16:05:42]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-10-09 12:53:39]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

R0 nzbmxjtk;nzbmxjtk;C:\WINDOWS\System32\drivers\xoywiazg.dat
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\System32\51.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\System32\tcpconn.exe /r
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 14:35:32
Windows 5.1.2600 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-11 14:36:12
C:\ComboFix2.txt ... 2007-12-10 14:02
C:\ComboFix3.txt ... 2007-12-06 21:05
.
--- E O F ---

Jurgenv1 · 12 dec 2007

Voer eens volgend script uit:

Drivers to unload:
C:\WINDOWS\system32\drivers\xoywiazg.dat

Files to delete:
C:\WINDOWS\system32\dsound3.dll

geertz · 12 dec 2007

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\chwwdfrb

*******************

Script file located at: \??\C:\ugelleic.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\drivers\xoywiazg.dat for deletion
Unload of driver C:\WINDOWS\system32\drivers\xoywiazg.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\xoywiazg.dat
Status: 0xc0000022

Could not open file C:\WINDOWS\system32\dsound3.dll for deletion
Deletion of file C:\WINDOWS\system32\dsound3.dll failed!

Could not process line:
C:\WINDOWS\system32\dsound3.dll
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

Jurgenv1 · 13 dec 2007

Het is beter om volgende instructies uit te printen of te noteren aangezien tijdens deze stappen de instructies niet beschikbaar zullen zijn.

* Download Gmer: http://www.gmer.net/gmer.zip en plaats het op je bureaublad.
Unzip/pak uit gmer.zip. Dit zal een nieuwe map aanmaken met de naam Gmer.

Open de gmer map en dubbeklik op Gmer.exe.
Bovenaan, naast de rootkit tab zal je een tab vinden met drie pijltjes erin. >>>
Klik de >>> tab om meer tabs te verkrijgen.
Klik de processes tab.
Klik de Safe... knop die je rechts zal vinden.
Er zal een melding tevoorschijn komen met de vraag of je je computer wilt opstarten in "Gmer Safe Mode". Klik Yes.
Dit zal je computer opnieuw doen opstarten. Indien je computer niet automatisch opnieuw opstart, doe het zelf.
Tijdens het herstarten zal je volgende melding krijgen - System is running in "Gmer Safe Mode". Klik hier OK.
Gmer zal opnieuw openen. Standaard zal het zich openen onder de Processes tab.
Aan de rechterkant, Klik de "Files..." knop. Dit zal een nieuw venster openen waar je naar bestanden kan bladeren.
Blader naar volgend bestand: C:\WINDOWS\system32\dsound3.dll
Selecteer het en klik de Delete knop die je rechts zal vinden.
Daarna klik de OK knop.
Eenmaal dit gedaan, klik de Restart knop. Je zal een melding krijgen of je er zeker van bent om deze computer af te sluiten.
Klik Yes
Dit zal je computer terug normaal doen opstarten.

geertz · 13 dec 2007

An error 0xC0000022 occurred during the deletion of C:\WINDOWS\system32\dsound3.dll

Niet goed, vermoed ik?

Jurgenv1 · 14 dec 2007

* Download Dr.Web CureIt naar je bureaublad:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Dubbelklik drweb-cureit.exe en sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, Klik Options > Change Settings
Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de groene pijl rechts om de scan te starten.
Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd:
Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: Move incurable zoals je zal zien in volgende afbeelding:

Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik file en kies save report list. Bewaar de log op je bureaublad.
Sluit daarna Dr.Web Cureit.
Herstart je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

geertz · 14 dec 2007

xoywiazg.dat;c:\windows\system32\drivers;Trojan.NtRootKit.511;Verwijderd.;
dsound3.dll;c:\windows\system32;Trojan.DownLoader.37561;Verwijderd.;
18786F77d01;C:\Documents and Settings\Koen\Application Data\Mozilla\Profiles\default\hxywo61t.slt\Cache;Adware.SaveNow;Moved.;

Logfile of HijackThis v1.99.1
Scan saved at 16:16:01, on 14/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Documents and Settings\GeertZ\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\GeertZ\OctoshapeClient.exe" -inv:bootrun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://inevlassaks.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Jurgenv1 · 15 dec 2007

* Fix de volgende regel in hijackthis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

* Je Java software is verouderd.
Oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem.
Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:

Download Java Runtime Environment (JRE) 6u3.

Scroll omlaag naar : "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Klik op de "Download" knop aan de rechterkant.
Vink aan: "Accept License Agreement".
De pagina zal herladen.
Klik op de link om Windows Offline Installation te downloaden met Meerdere-talen, en bewaar het naar je Bureaublad.
Sluit alle programma's die eventueel open zijn - Zeker je web browser!
Ga dan naar Start > Configuratiescherm > Software en verwijder alle oudere versies van Java uit de Softwarelijst.
Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
Klik dan op Verwijderen of op de Wijzig/Verwijder knop.
Herhaal dit tot alle oudere versies verdwenen zijn.
Na het verwijderen van alle oudere versies, herstart je pc.
Dubbelklik vervolgens op jre-6u3-windows-i586-p.exe op je Bureaublad om de nieuwste versie van Java te installeren.

Voor de rest ziet het er goed uit, hoe werkt alles verder?

Archief - hjt log - "gratisch scannen" banner

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member

geertz

Legacy Member

Jurgenv1

Legacy Member