Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Hijackthis log: iig W32.Spybot.Worm

M@rc
3 antwoorden
  • Hallo,

    Het betreft de laptop van mijn vader voor zijn werk,
    hij heeft al weken last van dit virus en het is niet weg te halen met Norton, Adaware of Spybot -Search and Destroy- :( .

    Zelf denk ik dat er wel meer troep op staat behalve de worm.
    De laptop is namelijk zo traag als wat en ik heb al 2 keer gedefragmenteerd.

    Dit is voor mij de eerste keer dat ik Hijackthis gebruik :-? ,
    op mijn game-pc voldoen Adaware en Spybot -Search and Destroy- :roll: .

    Alvast bedankt, hier komt de log:

    Logfile of HijackThis v1.98.2
    Scan saved at 19:16:01, on 31-10-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\arsetup.exe
    C:\WINDOWS\System32\NetConfs.exe
    C:\PROGRA~1\ltmoh\Ltmoh.exe
    C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Ad-aware 6\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
    O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
    O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
    O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
    O4 - HKLM\..\Run: [windows monitor] C:\arsetup.exe
    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\Run: [MSN Messanger] msnmsng.exe
    O4 - HKLM\..\Run: [Networks Configurator] NetConfs.exe
    O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
    O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe
    O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
    O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\RunServices: [MSN Messanger] msnmsng.exe
    O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe
    O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe
    O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
    O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
    O4 - HKCU\..\Run: [MSN Messanger] msnmsng.exe
    O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
    O4 - HKCU\..\RunServices: [MSN Messanger] msnmsng.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
  • Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren:
    [b:4a50f2fd93]
    O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
    O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
    O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
    O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
    O4 - HKLM\..\Run: [windows monitor] C:\arsetup.exe
    O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\Run: [MSN Messanger] msnmsng.exe
    O4 - HKLM\..\Run: [Networks Configurator] NetConfs.exe
    O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
    O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe
    O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
    O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
    O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
    O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
    O4 - HKLM\..\RunServices: [MSN Messanger] msnmsng.exe
    O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe
    O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe
    O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
    O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
    O4 - HKCU\..\Run: [MSN Messanger] msnmsng.exe
    O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
    O4 - HKCU\..\RunServices: [MSN Messanger] msnmsng.exe
    [/b:4a50f2fd93]
    Reboot de computer.

    scan online (liefst beide scanners):
    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm


    Run HijackThis opnieuw en post een nieuwe log.
  • Bedankt voor het antwoord.
    Ik heb gedaan wat u zei en het is mij nu een beetje onduidelijk of het virus is verwijderd :-? .

    Ik heb de locatie van het virus met behulp van de online-virusscanners in ieder geval vastgesteld:
    W32.Spybot.Worm C:\WINDOWS\SYSTEM32\NETCONFS.EXE

    Op de site van Trend Micro stond dan het volgende:

    Solution:



    Identifying the Malware Program

    To remove this malware, first identify the malware program.

    Scan your system with your Trend Micro antivirus product.
    NOTE all files detected as WORM_SPYBOT.BH,
    Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.

    Terminating the Malware Program

    Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware.

    One such utility is Process Explorer from SystInternals. This small program can be downloaded freely from the SysInternals site.
    Once you have downloaded the utility, locate and terminate the process of the file(s) detected earlier.
    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Winsock2 driver = "<malware file detected earlier>"
    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Runonce
    In the right panel, locate and delete the entry:
    Winsock2 driver = "<malware file detected earlier>"
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system







    Mijn vraag is nu: is het mogelijk om deze stappen over te slaan en de directories die staan aangegeven op te sporen in mijn HijackThis Log en ze via het programma te verwijderen :o ? Of is dit helemaal niet meer nodig omdat het virus al verwijderd is?

    Ik hoop dat alles nog een beetje duidelijk is,
    hier de Hijack This Logfile:

    Logfile of HijackThis v1.98.2
    Scan saved at 21:43:34, on 31-10-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ad-aware 6\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.