PDA

Volledige versie bekijken : Themida / TrojanProxy.Dlena trojan



Rhox
12 maart 2007, 13:38
Ik heb vorige week een virus binnegekrege ik heb het probere te verwijderen met antivir/nod32 en avg anti spyware maar het lukt nog altijd ni. Ik kreeg eerst elke keer themidapopups bij het opstarte van winxp deze heb ik verwijdert dankzij avg in het opstartprocessenmenu. Nod32 klaagt nog altijd over het volgende:

Alert Details:
C:\WINDOWS\system32\5242032ld.exe
Threat
a variant of Win32/TrojanProxy.Dlena trojan
Comment
Event occured on a new file created by hte apllication X:\Windows\system32\svchost.exe. The file was moved to quarantine. You may close this window.

Deze trojan installeert steeds dezelfde virus die ik met avg anti spyware kan vinden

Dit is mijn HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 13:25:48, on 12-3-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
D:\MATLAB701\webserver\bin\win32\matlabserver.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Comodo\Firewall\cpf.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\RhoX\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe taskmgr.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X Configure] -C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] -KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] -"C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [2chkdsk] -rundll32.exe "C:\WINDOWS\system32\dhbamrlf.dll",setvm
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NodLogin] -C:\Program Files\Eset\nodlogin.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] -ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] -C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] -C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [updateMgr] -"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164322028452
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - -"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - -"C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - -"C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Autodesk\3dsMax8\mentalray\satellite\raysat_3ds max8server.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Unknown owner - -"C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Messenger USN Journal Reader service voor Gedeelde mappen (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe (file missing)

Dank bij voorbaat

Rhox
12 maart 2007, 13:39
Dit is de nod 32 boodaschap in foto:
http://pix.nofrag.com/a5/fb/de48d28d10ed1d972c7ddea4f753t2.jpg
Gevonden op franse site

Dit is mijn AVG Anti-Spyware report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 16:25:35 12-3-2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win Opts -> Proxy.Small : No action taken.
:mozilla.106:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.107:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.108:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.112:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.113:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.114:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.115:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.119:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adengage : No action taken.
:mozilla.170:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.171:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.85:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.86:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.175:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.18:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.19:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.20:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.21:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.67:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Etracker : No action taken.
:mozilla.151:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.152:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.153:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.154:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.155:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.61:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.62:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\RhoX\Cookies\rhox@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.51:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.53:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.54:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.55:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.58:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.59:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.60:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.79:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.80:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.16:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.26:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.27:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.28:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.29:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.32:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.33:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.34:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.35:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.187:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.188:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.179:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.22:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.23:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.24:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.25:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.30:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

Jurgenv1
12 maart 2007, 17:11
Ben je zeker dat je alles verwijderd hebt met AVG antispyware? Want er staat telkens 'no action taken'

* Download Dr.Web CureIt naar je bureaublad:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Dubbelklik drweb-cureit.exe en sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, Klik Options > Change Settings
Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de groene pijl rechts om de scan te starten.
Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: Move incurable zoals je zal zien in volgende afbeelding:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik file en kies save report list. Bewaar de log op je bureaublad.
Sluit daarna Dr.Web Cureit.
Herstart je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

Rhox
12 maart 2007, 19:13
Dit stond in de log file

vtsqr.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
XM3GN0BA.NQF;C:\Program Files\ESET\infected;Adware.TopSearch;Incurable.Mov ed.;

Ben nu aant scannen met avg antivirus en hij vind terug dezelfde viruse waaronder Proxy.small met een high risk
Dit is het rapport:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:21:36 12-3-2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win Opts -> Proxy.Small : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.119:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.120:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.121:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.28:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.31:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.33:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.176:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.177:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.100:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.99:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.181:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\RhoX\Cookies\rhox@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.17:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.18:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.19:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.20:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\RhoX\Cookies\rhox@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.81:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Etracker : Cleaned.
:mozilla.157:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.158:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.159:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.160:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.161:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.75:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.76:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.27:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.22:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\RhoX\Cookies\rhox@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.65:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.67:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.68:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.69:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.72:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.73:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.74:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.93:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.94:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.16:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.40:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.41:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.42:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.43:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.46:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.47:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.48:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.49:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.193:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.194:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.185:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.36:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.37:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.44:C:\Documents and Settings\RhoX\Application Data\Mozilla\Firefox\Profiles\3h2kugxo.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

Jurgenv1
12 maart 2007, 20:20
Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) naar je bureaublad.
Dubbelklik VundoFix.exe om het te starten.
Klik de Scan for Vundo knop.
Eenmaal gedaan met scannen, klik de Remove Vundo knop.
Je zal een melding krijgen of je de bestanden wilt laten verwijderen, klik YES
Nadat je Yes hebt geklikt, zullen de icoontjes op je bureaublad verdwijnen tijdens het verwijderen van Vundo.
Wanneer voltooid zal je de melding krijgen dat het je PC zal afsluiten, klik OK.
Start je pc terug opnieuw op.
Post de inhoud van C:\vundofix.txt en een nieuwe hijackthislog in je volgende post.

Note: Het is mogelijk dat vundofix een bestand gevonden heeft dat niet kon verwijderd worden.
In dit geval zal VundoFix na het heropstarten van je pc nog eens opstarten. Dan moet je de instructies van hierboven nog eens uitvoeren vanaf: "Click the Scan for Vundo."

Rhox
12 maart 2007, 21:02
VundoFix V6.3.15

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 20:35:29 12-3-2007

Listing files found while scanning....

C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.tmp
C:\WINDOWS\system32\treemymk.dll
C:\WINDOWS\system32\vtsqr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqstv.bak2
C:\WINDOWS\system32\rqstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\rqstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqstv.tmp
C:\WINDOWS\system32\rqstv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Bij het opstarten van mijn pc kreeg ik weer dezelfde warning van nod32 van TrojanProxy.Dlena

Jurgenv1
12 maart 2007, 21:30
Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt) Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

Rhox
12 maart 2007, 21:53
"RhoX" - 07-03-12 21:48:53 Service Pack 2
ComboFix 07-03-13.3 - Running from: "C:\Documents and Settings\RhoX\Bureaublad\Firefox Downloads"

((((((((((((((((((((((((((((((( Files Created from 2007-02-12 to 2007-03-12 ))))))))))))))))))))))))))))))))))


2007-03-12 20:35 <DIR> d-------- C:\VundoFix Backups
2007-03-12 17:40 <DIR> d-------- C:\DOCUME~1\RhoX\DoctorWeb
2007-03-12 14:15 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2007-03-12 14:15 128,232 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-12 04:10 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-03-12 04:04 <DIR> d-------- C:\Program Files\MSBuild
2007-03-12 04:02 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-03-12 03:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-03-12 03:52 <DIR> dr-h----- C:\MSOCache
2007-03-12 03:26 3,322 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-12 00:19 <DIR> d-------- C:\Program Files\iTunes
2007-03-12 00:19 <DIR> d-------- C:\Program Files\iPod
2007-03-12 00:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-11 23:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-11 23:03 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-11 23:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-11 22:03 0 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-03-11 21:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-11 20:37 <DIR> dr-h----- C:\DOCUME~1\RhoX\Onlangs geopend
2007-03-10 01:04 0 --a------ C:\WINDOWS\antivir_workstation_win7u_de_h.exe
2007-03-10 01:03 37,071,691 ---hs---- C:\WINDOWS\taskmgr.exe
2007-03-10 00:35 90,396 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\firstlsp.reg.dat
2007-03-07 14:37 <DIR> d-------- C:\DOCUME~1\RhoX\APPLIC~1\Comodo
2007-03-07 14:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-03-06 22:42 75,520 --a------ C:\WINDOWS\system32\drivers\cmdmon.sys
2007-03-06 22:42 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-03-06 22:42 <DIR> d-------- C:\Program Files\Comodo
2007-03-05 10:55 <DIR> d-------- C:\DOCUME~1\RhoX\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-03-05 10:48 <DIR> d-------- C:\Program Files\Electronic Arts
2007-02-28 13:15 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-02-27 13:56 <DIR> dr-h----- C:\DOCUME~1\RhoX\APPLIC~1\SecuROM
2007-02-27 01:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-02-21 15:22 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-02-21 13:04 <DIR> d-------- C:\Program Files\Tor
2007-02-21 13:04 <DIR> d-------- C:\DOCUME~1\RhoX\APPLIC~1\Tor
2007-02-20 22:45 <DIR> d-------- C:\DOCUME~1\RhoX\GUIFormExamples
2007-02-20 22:40 <DIR> d-------- C:\DOCUME~1\RhoX\.netbeans
2007-02-20 22:38 <DIR> d-------- C:\Program Files\netbeans-5.5


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-03-12 16:22 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\utorrent
2007-03-12 14:14 -------- d---s---- C:\DOCUME~1\RhoX\APPLIC~1\microsoft
2007-03-12 04:04 -------- d-------- C:\Program Files\microsoft works
2007-03-12 00:20 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\apple computer
2007-03-12 00:19 -------- d-------- C:\Program Files\quicktime
2007-03-10 00:11 -------- d-------- C:\Program Files\Common Files\stardock
2007-03-10 00:10 2560 --a------ C:\WINDOWS\_msrstrt.exe
2007-03-10 00:06 -------- d-------- C:\Program Files\asus
2007-03-10 00:02 -------- d--h----- C:\Program Files\installshield installation information
2007-02-27 01:57 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-02-27 01:52 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-21 01:29 -------- d-------- C:\Program Files\pacificpoker
2007-02-13 14:52 -------- d-------- C:\Program Files\msn messenger
2007-01-30 19:08 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\openoffice.org2
2007-01-25 02:12 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\adobeum
2007-01-23 23:17 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\limewire
2007-01-23 23:05 -------- d-------- C:\Program Files\mirc
2007-01-22 18:06 -------- d-------- C:\Program Files\mathtype
2007-01-22 00:27 131072 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-14 19:22 -------- d-------- C:\DOCUME~1\RhoX\APPLIC~1\macromedia
2007-01-13 00:43 75474 --a------ C:\WINDOWS\system32\perfc013.dat
2007-01-13 00:43 498208 --a------ C:\WINDOWS\system32\perfh013.dat
2006-12-12 17:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-12-12 17:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 17:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 17:30 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-12-12 17:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 17:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 17:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 17:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 17:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 17:25 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-12 17:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-12-12 17:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 17:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-12-12 17:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 17:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 17:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 17:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 17:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 17:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ASUS SmartDoctor"="-C:\\Program Files\\ASUS\\SmartDoctor\\SmartDoctor.exe /start"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"JMB36X Configure"="-C:\\WINDOWS\\System32\\JMRaidTool.exe boot"
"SunJavaUpdateSched"="-\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Logitech Hardware Abstraction Layer"="-KHALMNPR.EXE"
"COMODO Firewall Pro"="-\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"NvCplDaemon"="-RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"2chkdsk"="-rundll32.exe \"C:\\WINDOWS\\system32\\dhbamrlf.dll\",setvm"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"NodLogin"="-C:\\Program Files\\Eset\\nodlogin.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SkyTel"="SkyTel.EXE"
"RTHDCPL"="-RTHDCPL.EXE"
"nwiz"="-nwiz.exe /install"
"NvMediaCenter"="-RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Alcmtr"="-ALCMTR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="taskmgr"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\taskmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GrooveMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="-C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="-\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="-\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_8 -reboot 1"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B07CB267-5E6F-441F-9B3C-324EFE70F897}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjghh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\I]
Shell\AutoRun\command I:\SCDAAutorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


************************************************** ******************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

************************************************** ******************

Completion time: 07-03-12 21:51:19


Logfile of HijackThis v1.99.1
Scan saved at 21:52:31, on 12-3-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
D:\MATLAB701\webserver\bin\win32\matlabserver.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CyberLink\PowerVCRII\PVCR.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\RhoX\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B07CB267-5E6F-441F-9B3C-324EFE70F897} - C:\WINDOWS\system32\qomjghh.dll (file missing)
O2 - BHO: (no name) - {EC7B2BEE-BDE9-4820-BF5C-A1B4ECD92F64} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X Configure] -C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] -KHALMNPR.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] -"C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] -RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [2chkdsk] -rundll32.exe "C:\WINDOWS\system32\dhbamrlf.dll",setvm
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NodLogin] -C:\Program Files\Eset\nodlogin.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] -nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] -RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] -ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] -C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164322028452
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: qomjghh - qomjghh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - -"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - -"C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - -"C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Autodesk\3dsMax8\mentalray\satellite\raysat_3ds max8server.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Unknown owner - -"C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Messenger USN Journal Reader service voor Gedeelde mappen (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe (file missing)

Jurgenv1
12 maart 2007, 22:10
* Download en unzip Killbox (http://www.downloads.subratam.org/KillBox.exe) naar je bureaublad.
Klik op killbox.exe.
Selecteer de optie "Delete on reboot".
In het veld "Full Path of File to Delete" kopieer en plak je het volgende:

C:\WINDOWS\taskmgr.exe

Klik op de knop: single file (!Belangrijk!)

Daarna, Klik op de rode cirkel met het wit kruisje erin.
Killbox zal zeggen dat deze file zal verwijderd worden on reboot.. vraagt om nu te rebooten. Klik YES.

Je pc moet nu rebooten.

Open Kladblok.
Kopieer de onderstaande vetgedrukte tekst en plak deze in een nieuw document.



REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B07CB267-5E6F-441F-9B3C-324EFE70F897}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjghh]


Kies Bestand -> Opslaan
Selecteer bij "Opslaan in": Bureaublad
Vul bij "Bestandsnaam" in: fix.reg
Selecteer bij "Opslaan als type": Alle bestanden
Klik op "Opslaan".

Dubbelklik op fix.reg, dat nu op je bureaublad staat.
Ga ermee akkoord dat deze gegevens aan het register worden toegevoegd.

Herstart dan je pc en laat h-Vundofix nogmaals runnen en post het rapport ervan hier met een nieuw hijackthis logje.