Vraag & Antwoord

Beveiliging & privacy

Hijackthis log: iig W32.Spybot.Worm

3 antwoorden
  • Hallo, Het betreft de laptop van mijn vader voor zijn werk, hij heeft al weken last van dit virus en het is niet weg te halen met Norton, Adaware of Spybot -Search and Destroy- :( . Zelf denk ik dat er wel meer troep op staat behalve de worm. De laptop is namelijk zo traag als wat en ik heb al 2 keer gedefragmenteerd. Dit is voor mij de eerste keer dat ik Hijackthis gebruik :-? , op mijn game-pc voldoen Adaware en Spybot -Search and Destroy- :roll: . Alvast bedankt, hier komt de log: Logfile of HijackThis v1.98.2 Scan saved at 19:16:01, on 31-10-2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\arsetup.exe C:\WINDOWS\System32\NetConfs.exe C:\PROGRA~1\ltmoh\Ltmoh.exe C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Ad-aware 6\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Window Monitor] winmon32.exe O4 - HKLM\..\Run: [windows monitor] C:\arsetup.exe O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe O4 - HKLM\..\Run: [MSN Messanger] msnmsng.exe O4 - HKLM\..\Run: [Networks Configurator] NetConfs.exe O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe O4 - HKLM\..\RunServices: [MSN Messanger] msnmsng.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [MSN Messanger] msnmsng.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - HKCU\..\RunServices: [MSN Messanger] msnmsng.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
  • Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren: [b:4a50f2fd93] O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Window Monitor] winmon32.exe O4 - HKLM\..\Run: [windows monitor] C:\arsetup.exe O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe O4 - HKLM\..\Run: [MSN Messanger] msnmsng.exe O4 - HKLM\..\Run: [Networks Configurator] NetConfs.exe O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe O4 - HKLM\..\RunServices: [MSN Messanger] msnmsng.exe O4 - HKLM\..\RunServices: [Networks Configurator] NetConfs.exe O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [MSN Messanger] msnmsng.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - HKCU\..\RunServices: [MSN Messanger] msnmsng.exe [/b:4a50f2fd93] Reboot de computer. scan online (liefst beide scanners): http://housecall.trendmicro.com/housecall/start_corp.asp http://www.pandasoftware.com/activescan/com/activescan_principal.htm Run HijackThis opnieuw en post een nieuwe log.
  • Bedankt voor het antwoord. Ik heb gedaan wat u zei en het is mij nu een beetje onduidelijk of het virus is verwijderd :-? . Ik heb de locatie van het virus met behulp van de online-virusscanners in ieder geval vastgesteld: W32.Spybot.Worm C:\WINDOWS\SYSTEM32\NETCONFS.EXE Op de site van Trend Micro stond dan het volgende: Solution: Identifying the Malware Program To remove this malware, first identify the malware program. Scan your system with your Trend Micro antivirus product. NOTE all files detected as WORM_SPYBOT.BH, Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner. Terminating the Malware Program Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals. This small program can be downloaded freely from the SysInternals site. Once you have downloaded the utility, locate and terminate the process of the file(s) detected earlier. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry: Winsock2 driver = "<malware file detected earlier>" In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Runonce In the right panel, locate and delete the entry: Winsock2 driver = "<malware file detected earlier>" Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system Mijn vraag is nu: is het mogelijk om deze stappen over te slaan en de directories die staan aangegeven op te sporen in mijn HijackThis Log en ze via het programma te verwijderen :o ? Of is dit helemaal niet meer nodig omdat het virus al verwijderd is? Ik hoop dat alles nog een beetje duidelijk is, hier de Hijack This Logfile: Logfile of HijackThis v1.98.2 Scan saved at 21:43:34, on 31-10-2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ad-aware 6\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.