stap 1 is helemaal gelukt!!! (alleen o20 stont er niet bij, dus ga ik er vanuit dat die er niet meer is...)
stap 2:
[hjt]
combofix 11-08-22.02 - hein beihuisen 22-08-2011 13:27:30.1.2 - x86
microsoft windows xp home edition 5.1.2600.3.1252.31.1043.18.511.106
[gmt 2:00]
gestart vanuit:
c:\documents and settings\hein beihuisen\bureaublad\combofix.exe
.
.
(((((((((((((((((((((((((((((((((( andere verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\beheerder\application data\hbtools
c:\documents and settings\hein beihuisen\windows
c:\documents and settings\hein beihuisen\application data\hbtools
c:\documents and settings\hein beihuisen\application data\hbtools\v3.0\hbtools\static\1\btntrans.idx
c:\documents and settings\hein beihuisen\windows
c:\documents and settings\stefan\application data\hbtools
c:\documents and settings\stefan\application data\hbtools\reports.txt
c:\documents and settings\stefan\windows
c:\windows\isun0413.exe
c:\xcrashdump.dat
.
.
(((((((((((((((((((( bestanden gemaakt van 2011-07-22 to 2011-08-22 ))))))))))))))))))))))))))))))
.
.
2011-08-22 09:37 . 2011-08-22 09:37 54016 ----a-w-
c:\windows\system32\drivers\dwlmg.sys
2011-08-22 08:23 . 2011-08-22 08:23 388096 ----a-r-
c:\documents and settings\hein beihuisen\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\hijackthis.exe
2011-08-11 18:37 . 2011-08-11 18:37 -------- d-----w- c:\documents and settings\hein beihuisen\application data\malwarebytes
2011-08-11 18:36 . 2011-07-06 17:52 41272 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-11 18:36 . 2011-08-11 18:36 -------- d-----w- c:\documents and settings\all users\application data\malwarebytes
2011-08-11 18:36 . 2011-07-06 17:52 22712 ----a-w-
c:\windows\system32\drivers\mbam.sys
2011-08-11 18:36 . 2011-08-11 18:36 -------- d-----w- c:\program files\malwarebytes' anti-malware
2011-08-11 11:05 . 2011-06-24 14:10 139656 -c----w-
c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 17:31 . 2011-07-08 14:02 10496 -c----w-
c:\windows\system32\dllcache\ndistapi.sys
2011-08-07 19:06 . 2011-08-07 19:06 1409 ----a-w- c:\windows\qtfont.for
.
.
.
((((((((((((((((((((((((((((((((((((((( find3m rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-07-15 13:29 . 2003-10-05 18:52 456320 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-10-05 18:52 10496 ----a-w-
c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2003-10-05 09:58 139656 ----a-w-
c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:31 . 2006-06-23 11:29 916480 ----a-w-
c:\windows\system32\wininet.dll
2011-06-23 18:31 . 2003-10-05 18:52 43520 ----a-w-
c:\windows\system32\licmgr10.dll
2011-06-23 18:31 . 2003-10-05 18:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 07:55 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-10-05 18:52 293888 ----a-w-
c:\windows\system32\winsrv.dll
2011-06-06 11:35 . 2003-10-05 18:52 1859072 ----a-w-
c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( reg opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
regedit4
.
[hkey_local_machine\software\microsoft\windows\curr entversion\run]
"prismsta.exe"="prismsta.exe start"
[x]
"cmaudio"="cmicnfg.cpl"
[2003-09-12 2244608]
"chotkey"="mhotkey.exe"
[2003-06-27 506368]
"ledpointer"="cnyhkey.exe"
[2003-06-27 5798912]
"dit"="dit.exe"
[2002-08-28 73728]
"pcmservice"=
c:\program files\medion home cinema xl ii\powercinema\pcmservice.exe [2003-06-24 61440]
"microsoft works update detection"=
c:\program files\common files\microsoft shared\works shared\wkufind.exe [2003-06-09 50688]
"tkbellexe"=
c:\program files\common files\real\update_ob\realsched.exe [2003-10-06 151597]
"pinnacledrivercheck"=
c:\windows\system32\psdrvch eck.exe [2003-05-28 394240]
"kpn"=
c:\program files\kpn\bin\sprtcmd.exe [2007-10-23 198184]
"quicktime task"=
c:\program files\quicktime\qttask.exe [2007-10-19 286720]
"kpnassistentupdater"=
c:\program files\kpn\kpn update\kpnassistentupdater.exe [2010-08-24 1964928]
"nwiz"=
c:\program files\nvidia corporation\nview\nwiz.exe [2010-07-07 1753192]
"nvmediacenter"="c:\windows\system32\nvmctray. dll"
[2010-07-09 110696]
"nvcpldaemon"=
c:\windows\system32\nvcpl.dll [2010-07-09 13923432]
"malwarebytes' anti-malware (reboot)"=
c:\program files\malwarebytes' anti-malware\mbam.exe [2011-07-06 1047656]
.
[hkey_users\.default\software\microsoft\windows\cur rentversion\run]
"ctfmon.exe"=
c:\windows\system32\ctfmon.exe [2008-04-14 15360]
.
c:\documents and settings\hein beihuisen\menu start\programma's\opstarten\
onenote 2007 schermopname en snel starten.lnk -
c:\program files\microsoft office\office12\onenotem.exe [2009-2-26 97680]
onenote-inhoudsopgave.onetoc2
[2010-1-25 3656]
.
c:\documents and settings\hein beihuisen\menu start\programma's\opstarten\
registration-instantcopy.lnk -
c:\program files\pinnacle\shared files\instantcddvd\pixie\regtool.exe [2002-9-26 245760]
.
c:\documents and settings\all users\menu start\programma's\opstarten\
adobe reader speed launch.lnk -
c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe [n/a]
picture package menu.lnk -
c:\program files\sony corporation\picture package\picture package menu\sonytray.exe [n/a]
picture package vcd maker.lnk -
c:\program files\sony corporation\picture package\picture package applications\residence.exe [n/a]
.
[hkey_local_machine\software\microsoft\security center\monitoring]
"disablemonitoring"=dword:00000001
.
[hkey_local_machine\software\microsoft\security center\monitoring\symantecantivirus]
"disablemonitoring"=dword:00000001
.
[hkey_local_machine\software\microsoft\security center\monitoring\symantecfirewall]
"disablemonitoring"=dword:00000001
.
[hklm\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\authorizedapplications\list]
%windir%\\system32\\sessmgr.exe=
d:\\spelletjes\\gp3.exe=
c:\\windows\\system32\\dplaysvr.exe=
d:\\spelletjes 3\\riskii.exe=
%windir%\\network diagnostic\\xpnetdiag.exe=
c:\\program files\\kpn\\agent\\bin\\bcont.exe=
c:\\program files\\messenger\\msmsgs.exe=
c:\\program files\\microsoft office\\office12\\onenote.exe=
c:\\program files\\sony ericsson\\sony ericsson media manager\\mediamanager.exe=
.
[hklm\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\globallyopenports\list]
"3389:tcp"= 3389:tcp
xpsp2res.dll,-22009
.
r0 symds;symantec data store;
c:\windows\system32\drivers\n360\0403000.005 \symds.sys [25-3-2011 14:15 328752]
r0 symefa;symantec extended file attributes;
c:\windows\system32\drivers\n360\040300 0.005\symefa.sys [25-3-2011 14:15 173104]
r1 bhdrvx86;bhdrvx86;
c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\ 20110812.001\bhdrvx86.sys [19-8-2011 19:08 815736]
r1 cchp;symantec hash provider;
c:\windows\system32\drivers\n360\0403000. 005\cchpx86.sys [25-3-2011 14:15 501888]
r1 symiron;symantec iron driver;
c:\windows\system32\drivers\n360\0403000.00 5\ironx86.sys [25-3-2011 14:15 116784]
r2 logwatch;event log watch;
c:\program files\ca\sharedcomponents\ca_lic\logwatnt.exe [20-9-2002 18:29 53248]
r2 n360;norton 360;
c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [25-3-2011 14:14 126392]
r2 sprtsvc_kpn;supportsoft sprocket service (kpn);
c:\program files\kpn\bin\sprtsvc.exe [23-10-2007 12:36 202016]
r3 eraserutilrebootdrv;eraserutilrebootdrv;
c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys [28-7-2011 13:39 105592]
r3 idsxpx86;idsxpx86;
c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\2 0110819.030\idsxpx86.sys [20-8-2011 20:46 355256]
r3 prism_a00;prism 802.11g driver;
c:\windows\system32\drivers\prisma00.sys [10-9-2003 13:22 362688]
r3 seehcri;sony ericsson seehcri device driver;
c:\windows\system32\drivers\seehcri.sys [27-2-2010 19:45 27632]
s2 gupdate1c98f576dc1f808;google update service (gupdate1c98f576dc1f808);
c:\program files\google\update\googleupdate.exe [15-2-2009 12:23 133104]
s3 ca_lic_clnt;ca license client;
c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [20-9-2002 18:27 77824]
s3 ca_lic_srvr;ca license server;
c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [20-9-2002 18:41 77824]
s3 gupdatem;google update-service (gupdatem);
c:\program files\google\update\googleupdate.exe [15-2-2009 12:23 133104]
s3 mbamswissarmy;mbamswissarmy;
c:\windows\system32\dr ivers\mbamswissarmy.sys [11-8-2011 20:36 41272]
s3 phtvtune;medion tv-tuner 7134 mk2/3;
c:\windows\system32\drivers\phtvtune.sys [12-6-2003 8:47 24704]
s3 se1008mdm;sony ericsson se1008 mobile device full usb driver;
c:\windows\system32\drivers\se1008mdm.sys [18-7-2009 9:09 58536]
.
inhoud van de 'gedeelde taken' map
.
2011-08-08
c:\windows\tasks\applesoftwareupdate.job
-
c:\program files\apple software update\softwareupdate.exe [2007-08-29 12:57]
.
2011-08-22
c:\windows\tasks\googleupdatetaskmachinecore.job
-
c:\program files\google\update\googleupdate.exe [2009-02-15 10:23]
.
2011-08-22
c:\windows\tasks\googleupdatetaskmachineua.job
-
c:\program files\google\update\googleupdate.exe [2009-02-15 10:23]
.
2011-08-11
c:\windows\tasks\norton security scan for hein beihuisen.job
-
c:\program files\norton security scan\norton security scan\engine\2.7.3.34\nss.exe [2010-04-28 07:48]
.
.
------- bijkomende scan -------
.
ustart page = hxxp://www.startpagina.nl/
ie: e&xporteren naar microsoft excel -
c:\progra~1\micros~4\office12\excel.exe/3000
ie: google sidewiki... -
c:\program files\google\google toolbar\component\googletoolbardynamic_mui_en_e117 12c84ea7e12b.dll/cmsidewiki.html
tcp: dhcpnameserver = 192.168.2.254
dpf: directanimation java classes - file://c:\windows\java\classes\dajava.cab
dpf: microsoft xml parser for java - file://c:\windows\java\classes\xmldso.cab
.
- - - - orphans verwijderd - - - -
.
hkcu-run-msnmsgr -
c:\program files\windows live\messenger\msnmsgr.exe
addremove-adobe acrobat 5.0 -
c:\windows\isun0413.exe
addremove-microsoft interactive training -
c:\windows\isun0413.exe
addremove-nova 3havo vwo na -
c:\windows\isun0413.exe
addremove-nvidia display control panel -
c:\program files\nvidia corporation\uninstall\nvuninst.exe
addremove-slabcomm&10c4&ea60 -
c:\windows\system32\silabs\driveruninstaller.exe vcp cp210x cardinal\slabcomm&10c4&ea60
addremove-uninstall_is1 -
c:\program files\common files\dvdvideosoft\unins000.exe
addremove-
{6b103f43-069c-11d6-9ea2-0050bae317e1} -
c:\program files\uninstall_pcm.exe
.
.
.
************************************************** ************************
.
catchme 0.3.1398 w2k/xp/vista - rootkit/stealth malware detector by gmer,
[noparse]http://www.gmer.net[/noparse]
rootkit scan 2011-08-22 13:43
windows 5.1.2600 service pack 3 ntfs
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
scan succesvol afgerond
verborgen bestanden: 0
.
************************************************** ************************
.
[hkey_local_machine\system\controlset001\services\n 360]
"imagepath"="\
c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe\" /s \"n360\" /m \
c:\program files\norton 360\engine\4.3.0.5\dimaster.dll\" /prefetch:1"
.
voltooingstijd: 2011-08-22 13:49:54
combofix-quarantined-files.txt 2011-08-22 11:49
.
pre-run: 45.658.361.856 bytes beschikbaar
post-run: 45.887.909.888 bytes beschikbaar
.
windowsxp-kb310994-sp2-home-bootdisk-nld.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\window s
[operating systems]
c:\cmdcons\bootsect.dat="microsoft windows recovery console" /cmdcons
unsupporteddebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\windows="micro soft windows xp home edition" /fastdetect /noexecute=optin
.
- - end of file - - 0afcd49441b37cf245ea59019b466c1c
[/hjt]