Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Trojan verwijderen?

Anoniem
Jos H
7 antwoorden
  • Overgestapt naar NOD32; vond gelijk een trojan die NAV niet gefixt/gezien heeft!!!!!!!!!!!
    Laatste update geinstalleerd en na scannen volgt dit .log bestand.

    Scanning Log
    NOD32 version 1.912 (20041029) NT
    Checking CRC of the NOD32.EXE file: status OK
    Operating memory is OK.
    Error occured while scanning MBR sector of the 2. physical disk. Error reading sector.
    date: 29.10.2004 time: 16:16:49
    Scanned disks, directories and files: C:; D:
    C:\pagefile.sys - error opening (access denied) [4]
    C:\hiberfil.sys - error opening (access denied) [4]
    [b:e8b63cd702]C:\WINDOWS\system32\msdlupd.dll - Win32/TrojanDownloader.Dyfica.CU trojan[/b:e8b63cd702]
    C:\WINDOWS\system32\config\system.LOG - error opening (file locked) [4]
    C:\WINDOWS\system32\config\software.LOG - error opening (file locked) [4]
    C:\WINDOWS\system32\config\default.LOG - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SAM.LOG - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (file locked) [4]
    C:\WINDOWS\system32\config\DEFAULT - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SECURITY - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SOFTWARE - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SYSTEM - error opening (file locked) [4]
    C:\WINDOWS\system32\config\SAM - error opening (file locked) [4]
    C:\WINDOWS\Temp\ZLT05d98.TMP - error opening (file locked) [4]
    C:\Documents and Settings\NetworkService
    tuser.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (file locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
    C:\Documents and Settings\LocalService
    tuser.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (file locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
    C:\Documents and Settings\Jos
    tuser.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\Jos
    tuser.dat - error opening (file locked) [4]
    C:\Documents and Settings\Jos \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
    C:\Documents and Settings\Jos \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
    number of scanned files: 149907
    number of viruses found: 1
    time of completion: 16:29:02 total scanning time: 733 sec (00:12:13)
    Notes:
    [4] File cannot be open. It is being exclusively used by another application or operating system.

    Kan ik msdlupd.dll verwijderen zonder problemen te krijgen :-?



  • Ja.
  • http://www.giantcompany.com/antispyware
    esearch/spyware/spyware-MoneyTree.aspx

    [quote:0c5e457e40]MonyeTree may also install a Browser helper Object (BHO).

    MonyeTree may also use direct EXE file downloads to distribute the same dialers; this process does not leave an ActiveX control loaded.

    MoneyTree variants:

    MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

    MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

    MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

    MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

    MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite. The DyFuCA variant typically installs the InternetOptimizer threat which is an error page hijacker for Internet Explorer.
    [/quote:0c5e457e40]
  • [quote:b3e5eee8aa="turbulence"]http://www.giantcompany.com/antispyware
    esearch/spyware/spyware-MoneyTree.aspx

    [quote:b3e5eee8aa]MonyeTree may also install a Browser helper Object (BHO).

    MonyeTree may also use direct EXE file downloads to distribute the same dialers; this process does not leave an ActiveX control loaded.

    MoneyTree variants:

    MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

    MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

    MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

    MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

    MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite. The DyFuCA variant typically installs the InternetOptimizer threat which is an error page hijacker for Internet Explorer.
    [/quote:b3e5eee8aa][/quote:b3e5eee8aa]

    Zou je misschien iets meer uitleg kunnen geven bij de hyperlinks :-?
  • das gewoon een site die jou verteld wat voor trojan het is ..

    eentje die spyware op je pc zet dus … overigens is internet optimiser terug te vinden in je software gedeelte .. dus lijkt het me logisch als money tree er ook zal staan …

    spybot vind hem ook, ik weet eigenlijk alleen niet of die de bestanden ook verwijdert … maar het verwijderen van die bestanden staat prima uitgelegd op die giantdinges site :)

    zal dus ook wel een zooi bagger in je program files staan ..

    Zet anders eens een hijack this logje neer en laat ze die ff sjeckuhh …
  • Ad-aware & Spybot systeem laten scannen.
    Vervolgens Spywareblaster geinstalleerd!
    Hierna Spy Sweeper geinstalleerd en laten scannen.
    Deze vond nog 16 stuks spyware en "180 tracks".
    Voor de zekerheid maar een HijackThis.log:

    Logfile of HijackThis v1.98.2
    Scan saved at 15:55:25, on 31-10-2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AutoSizer\AutoSizer.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\ups.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hccnet.nl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hccnet.nl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hccnet.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O3 - Toolbar: &HCC Hulp - {0BFDDA12-9C1A-46B8-9681-AFF63C2A1EF0} - C:\PROGRA~1\hcchulp\HCCHulp.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe" /h
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.biblioservice.net/msrdp.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F368752-FE48-4A58-8534-1B7F1EE3E58F}: NameServer = 62.251.0.6 62.251.0.7
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1F368752-FE48-4A58-8534-1B7F1EE3E58F}: NameServer = 62.251.0.6 62.251.0.7

    Nog iets fixen :-?



  • Deze:
    [b:6c31ac76f7]O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -[/b:6c31ac76f7]

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.