Vraag & Antwoord

Beveiliging & privacy

W32.HLLW.Gaobot.gen waarschuwing komt steeds terug

8 antwoorden
  • hallo, Alles gedaan. Een patch van windows gedownloaded. Dus keurig al de handelingen ook via norton opgevolgd. Dit virus blijft me achtervolgen. Als ik hem scan met norton herkent norton hem niet als een virus. Er zit ook een test file bij. Als het me lukt hem op te sturen naar norton lijkt het dat hij niet gevaarlijk is.... Ook de speciale virus scan gedaan voor dit bestand. Wie kan me iets meer vertellen over deze worm. Heb ik een af andere poort open staan? Ik heb een fire wall ook van norton. Jan :(
  • Download [url=http://www.spywareinfo.com/~merijn/files/HijackThis.exe]HijackThis[/url]. Sla het bestand op in een eigen map. Niet op je bureaublad of in je Temp-files. HijackThis maak namelijk backups in de map waar het opgestart wordt. Run het programma. Klik op scan, save log en sla het log op als een .txt bestand. Kopieer en plak de inhoud in je volgende bericht. Dan halen we het zo weg voor je.
  • Logfile of HijackThis v1.97.7 Scan saved at 21:11:47, on 27-4-2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.EXE C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\Program Files\Norton Personal Firewall\NISSERV.EXE C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Norton Personal Firewall\IAMAPP.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\WINDOWS\System32\qttask.exe C:\WINDOWS\System32\windows.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\eMule\emule.exe C:\Program Files\Soulseek\slsk.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ecpm.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ecpm.com/searchbar.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecpm.com/searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ecpm.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ecpm.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecpm.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\3.bin\MYSRCHAS.DLL O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\7.bin\MYBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - c:\lotus\organize\iehelper.dll O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\Mary\APPLIC~1\ooufrstteadr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\7.bin\MYBAR.DLL O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [windows] C:\WINDOWS\System32\windows.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Onderzoek (HKLM) O9 - Extra button: Web Entry (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} - http://www.thepaymentcentre.com/build/preload.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1083077796526 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37612.0949074074 O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014061.exe O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.geonet.st/accesso/dialit/allact.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\Software\..\Telephony: DomainName = ecpm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{449C1D06-F6EE-4114-857F-6B685C3A5100}: Domain = ecpm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{ECFE2F51-3894-4C7C-83D7-D0A5B1D644BA}: NameServer = 195.121.1.34 195.121.1.66 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\System\CS2\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com
  • Hallo dorus, Dit proces moet je beëindigen met de taskmanager (CTR+ALT+DEL): C:\WINDOWS\System32\windows.exe Dan HijackThis uit de temp-map..... Sla HijackThis op in een eigen map. Niet op je bureaublad of in je Temp-files. HijackThis maakt namelijk backups in de map waar het opgestart wordt. Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren: [b:93344dcbc4] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ecpm.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ecpm.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecpm.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ecpm.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ecpm.com/searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecpm.com/searchbar.html O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\3.bin\MYSRCHAS.DLL O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\7.bin\MYBAR.DLL O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\Mary\APPLIC~1\ooufrstteadr.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\7.bin\MYBAR.DLL O4 - HKLM\..\Run: [windows] C:\WINDOWS\System32\windows.exe O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} - http://www.thepaymentcentre.com/build/preload.cab O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014061.exe O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.geonet.st/accesso/dialit/allact.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\Software\..\Telephony: DomainName = ecpm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{449C1D06-F6EE-4114-857F-6B685C3A5100}: Domain = ecpm.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ecpm.com O17 - HKLM\System\CS2\Services\Tcpip\..\{2097F46F-529A-4710-A6C2-A8AD17615184}: Domain = ecpm.com [/b:93344dcbc4] Als je dit gedaan hebt [url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406]start je de computer op in veilige modus[/url]. Zorg dat alle [url=http://www.xtra.co.nz/help/0,,4155-1916458,00.html]verborgen bestanden weergegeven worden[/url], en verwijder de volgende bestanden of mappen indien aanwezig: C:\WINDOWS\System32\windows.exe <----dit bestand Reboot. Schakel systeemherstel uit en scan je computer met een up-to-date virusscanner. (of online) Reboot Schakel systeemherstel weer in, run HijackThis nog een keer en post een nieuwe log. Marc
  • Logfile of HijackThis v1.97.7 Scan saved at 22:11:58, on 27-4-2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton Personal Firewall\IAMAPP.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\WINDOWS\System32\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.EXE C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\Program Files\Norton Personal Firewall\NISSERV.EXE C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Messenger\msmsgs.exe C:\eigen\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - c:\lotus\organize\iehelper.dll O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\Mary\APPLIC~1\ooufrstteadr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Onderzoek (HKLM) O9 - Extra button: Web Entry (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab Ziet er schoon uit melding komt nog steeds
  • deze moeten er nog uit: [b:fa1d8d5db6]O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\DOCUME~1\Mary\APPLIC~1\ooufrstteadr.dll O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm[/b:fa1d8d5db6] Wanneer krijg je de melding? edit: Maak ook je temp-files eens leeg..
  • Ik krijg de melding als ik internet verbinding maak. Ik snap het programma. Ik probeer nog meer weg te halen wat ik niet ken Jan bedankt voor je hulp trouwens
  • Jan, Wel opletten wat je er uit gooit.... Verder zie ik niks verdachts meer in je log.

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.