Vraag & Antwoord

Beveiliging & privacy

virus melding vundo.dll

10 antwoorden
  • Mijn virusscanner (McAfee) maakt na een scan een melding van een trojan horse genaamd [b:c97ecf2a09]vundo.dll.[/b:c97ecf2a09] Vervolgens wil McAfee deze verwijderen maar ik geloof niet dat dit gebeurt. Telkens als ik mijn computer opstart krijg ik een melding dat een mijn bufferlimiet vol is, dat een verdacht proces deze probeert uit tebreiden en deze blokkeer ik dan steeds. Help? Windows XP, Mediacenter
  • Download [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b:249a774ec3]Combofix[/b:249a774ec3][/url] naar je Bureaublad. Dubbelklik [b:249a774ec3]Combofix.exe[/b:249a774ec3] Volg de instructies, aanvaard de disclaimer door "y" of "Y" te typen. Tijdens het runnen van de fix, [b:249a774ec3]NIET[/b:249a774ec3] in het venster klikken, want dit zal je pc doen vasthangen. Wanneer de fix voltooid is en na herstart, zal de log [b:249a774ec3]combofix.txt[/b:249a774ec3] openen. Plaats dit log in je volgende post samen met een nieuw HijackThis log. NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
  • "Administrator" - 2007-05-28 12:56:13 Service Pack 2 ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Administrator\Bureaublad\" [color=red:df7dbe5c1b][b:df7dbe5c1b] Rootkit driver xpdt is present. ... attempting disinfection [/b:df7dbe5c1b][/color:df7dbe5c1b] [color=blue:df7dbe5c1b] xpdt ...... driver unloaded successfully.[/color:df7dbe5c1b] [i:df7dbe5c1b] ADS removed - system32: deleted 78560 bytes in 1 streams. [/i:df7dbe5c1b] (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\vtstr.dll C:\WINDOWS\system32\opnoonk.dll C:\WINDOWS\system32\rtstv.bak1 C:\WINDOWS\system32\rtstv.bak2 C:\WINDOWS\system32\rtstv.bak1 C:\WINDOWS\system32\rtstv.bak2 * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 )))))))))))))))))))))))))))))))))) 2007-05-21 12:15 24,816 --a------ C:\WINDOWS\system32\mdimon.dll 2007-05-21 12:14 <DIR> d-------- C:\WINDOWS\SHELLNEW 2007-05-21 12:14 <DIR> d-------- C:\Program Files\Microsoft.NET 2007-05-21 12:08 <DIR> dr-h----- C:\MSOCache 2007-05-19 11:15 0 --a------ C:\WINDOWS\system32\dssdll32.dll 2007-05-19 11:13 19,456 --a------ C:\WINDOWS\system32\winbjt32(2).dll 2007-05-11 14:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-05-11 14:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS 2007-05-11 13:32 1,048,576 --ah----- C:\DOCUME~1\tester\ntuser.dat 2007-05-11 13:32 <DIR> dr-h----- C:\DOCUME~1\tester\Onlangs geopend 2007-05-11 13:32 <DIR> dr------- C:\DOCUME~1\tester\Mijn documenten 2007-05-11 13:32 <DIR> dr------- C:\DOCUME~1\tester\Menu Start 2007-05-11 13:32 <DIR> dr------- C:\DOCUME~1\tester\Favorieten 2007-05-11 13:32 <DIR> d--h----- C:\DOCUME~1\tester\Sjablonen 2007-05-11 13:32 <DIR> d-------- C:\DOCUME~1\tester\Bureaublad 2007-05-11 13:32 <DIR> d-------- C:\DOCUME~1\tester\APPLIC~1\SampleView 2007-05-10 23:51 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-05-10 20:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers Headquarters 2007-05-10 11:55 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll 2007-05-10 11:55 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll 2007-05-10 11:55 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll 2007-05-10 11:55 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll 2007-05-10 11:55 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2007-05-10 11:55 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2007-05-10 11:55 76,288 --a------ C:\WINDOWS\system32\uniime.dll 2007-05-10 11:55 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll 2007-05-10 11:55 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll 2007-05-10 11:55 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll 2007-05-10 11:55 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll 2007-05-10 11:55 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll 2007-05-10 11:55 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll 2007-05-10 11:55 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll 2007-05-10 11:55 6,144 --a------ C:\WINDOWS\system32\kbd101.dll 2007-05-10 11:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2007-05-10 11:55 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll 2007-05-10 11:55 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll 2007-05-01 10:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-28 10:50:27 12 ----a-w C:\WINDOWS\bthservsdp.dat 2007-05-27 14:06:19 12,482 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\wklnhst.dat 2007-05-19 15:05:33 -------- d-----w C:\Program Files\Winamp 2007-05-11 14:28:48 81,380 ----a-w C:\WINDOWS\system32\perfc013.dat 2007-05-11 14:28:48 465,926 ----a-w C:\WINDOWS\system32\perfh013.dat 2007-05-10 21:42:43 21,081 ----a-w C:\WINDOWS\system32\drivers\pixmcvv.sys 2007-05-10 21:42:42 98,304 ----a-w C:\WINDOWS\system32\MpvpxSSE.dll 2007-05-10 21:42:42 32,000 ----a-w C:\WINDOWS\system32\drivers\pixmcvc.sys 2007-05-10 21:42:42 102,400 ----a-w C:\WINDOWS\system32\MpvpxX86.dll 2007-05-10 21:42:42 102,400 ----a-w C:\WINDOWS\system32\MpvpxMMX.dll 2007-05-10 17:23:22 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-04-27 10:28:08 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM 2007-04-23 16:52:57 -------- d-----w C:\Program Files\Chopin 2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 20:10:03 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared 2007-03-28 07:29:13 64,720 ----a-w C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-03-20 19:56:46 0 ----a-w C:\WINDOWS\PowerReg.dat 2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys 2006-12-20 17:37:57 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02] {AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-17 23:40] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 22:22] "nwiz"="nwiz.exe" [2006-10-22 22:22 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 22:22] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24] "Alcmtr"="ALCMTR.EXE" [] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-09-02 13:00 C:\WINDOWS\system32\bthprops.cpl] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 20:29] "RTHDCPL"="RTHDCPL.EXE" [] "Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-06 16:53] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12] "@"="" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-02 13:00] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] AutoRun\command- J:\Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z] AutoRun\command- Z:\Info.exe folder.htt 480 480 *Newly Created Service* -PROCEXP90 Contents of the 'Scheduled Tasks' folder 2007-05-14 23:18:16 C:\WINDOWS\tasks\McDefragTask.job 2007-04-30 23:00:03 C:\WINDOWS\tasks\McQcTask.job ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-28 12:58:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}] Completion time: 2007-05-28 12:59:26 C:\ComboFix-quarantined-files.txt ... 2007-05-28 12:59 --- E O F ---
  • En een Hijackthislogje aub. Download [url=http://www.isecurity.org.uk/downloads/hijackthissetup.exe][b:5d6da49fd9]hijackthissetup[/b:5d6da49fd9][/url] naar je Bureaublad.[list:5d6da49fd9]Dubbelklikken op [b:5d6da49fd9]hijackthissetup.exe[/b:5d6da49fd9] Volg de instructies en klik op [b:5d6da49fd9]Install[/b:5d6da49fd9] Er zal een snelkoppeling verschijnen op je Bureaublad met de naam [i:5d6da49fd9]Hijack This[/i:5d6da49fd9] Dubbelklikken op de snelkoppeling om Hijackthis te starten.[/list:u:5d6da49fd9]
  • Logfile of HijackThis v1.99.1 Scan saved at 19:19:34, on 28-5-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijack This\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=7715 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing) O23 - Service: Ascasxxmeemf - Advanced System Products, Inc. - (no file) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • Start Hijackthis op en kies voor 'Do a system scan only' Selecteer alleen de items die hieronder zijn genoemd: [b:20def2a4c9] O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE [/b:20def2a4c9] Klik op 'Fix checked' om de items te verwijderen. 1. Download [url=http://www.atribune.org/ccount/click.php?id=1]ATF cleaner[/url] (gemaakt door Atribune) Dubbelklik op ATF cleaner om het programma te starten. Op het tabblad "Main", plaats je een vinkje bij [b:20def2a4c9]Select All[/b:20def2a4c9]. Klik op de knop [b:20def2a4c9]Empty Selected[/b:20def2a4c9]. Het volgende doen als je ook FireFox als browser hebt: Klik op tabblad "Firefox", plaats een vinkje bij [b:20def2a4c9]Select All[/b:20def2a4c9]. Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". (dit haalt het vinkje weer weg bij "Firefox saved passwords") Klik op de knop [b:20def2a4c9]Empty Selected[/b:20def2a4c9]. Het volgende doen als je ook Opera als browser hebt: Klik op tabblad "Opera", plaats een vinkje bij [b:20def2a4c9]Select All[/b:20def2a4c9]. Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". Klik op de knop [b:20def2a4c9]Empty Selected[/b:20def2a4c9]. Ga naar het tabblad "Main" en klik op de knop [b:20def2a4c9]Exit[/b:20def2a4c9] om het programma af te sluiten. 2. Download [b:20def2a4c9]Dr.Web CureIt[/b:20def2a4c9] naar je bureaublad: [url=ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe]ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe[/url] 3. Start de computer in [url=http://users.pandora.be/marcvn/spyware/1378056.htm]veilige modus[/url]. 4. Dubbelklik [b:20def2a4c9]drweb-cureit.exe[/b:20def2a4c9] en sta het toe om de express scan te starten. Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan. Eenmaal de korte scan is beeïndigd, Klik [b:20def2a4c9]Options[/b:20def2a4c9] > Change Settings Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse" Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen. Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen. Klik daarna de [b:20def2a4c9]groene pijl[/b:20def2a4c9] rechts om de scan te starten. Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren. Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:20def2a4c9]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:20def2a4c9] Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:20def2a4c9]Move incurable[/b:20def2a4c9] zoals je zal zien in volgende afbeelding: [img:20def2a4c9]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:20def2a4c9] Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben) Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:20def2a4c9]file[/b:20def2a4c9] en kies [b:20def2a4c9]save report list[/b:20def2a4c9]. Bewaar de log op je bureaublad. Sluit daarna Dr.Web Cureit. 5. [b:20def2a4c9]Herstart[/b:20def2a4c9] je computer in normale modus!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart. Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post tesamen met een logje van Hijackthis start opnieuw op en vertel eens of je nog problemen hebt.
  • Logfile of HijackThis v1.99.1 Scan saved at 21:34:15, on 29-5-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\McAfee\MSC\mcpromgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Winamp\winampa.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijack This\hijackthis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?linkid=7715 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing) O23 - Service: Ascasxxmeemf - Advanced System Products, Inc. - (no file) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Drweb opnoonk.dll.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.Virtumod Deleted. vtstr.dll.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.Virtumod Deleted. A0014904.dll C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP173 Trojan.Virtumod Deleted. A0015957.dll C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP174 Trojan.Virtumod Deleted. A0015959.dll C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP174 Trojan.DownLoader.22767 Deleted. A0015960.sys C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP174 Trojan.DownLoader.22767 Deleted. A0015961.exe C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP174 Trojan.DownLoader.22767 Deleted. A0015962.exe C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP174 Trojan.Click.2452 Deleted. A0021787.dll C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP182 Trojan.Virtumod Deleted. A0021788.dll C:\System Volume Information\_restore{20C9F06F-93D0-44EB-9DBD-5CDF7DB851E3}\RP182 Trojan.Virtumod Deleted. winbjt32(2).dll C:\WINDOWS\system32 Trojan.Mezzia Deleted. ddlwarez.reg J:\Recycled\Dj3\ag Trojan.StartPage.1505 Deleted.
  • Computer is weer schoon, bedankt voor de hulp!!!!!!!
  • logje ziet er schoon en goed uit inderdaad, zet wel even je systeemherstel uit, opnieuw opstarten en zet dan je systeemherstel weer aan, je hebt nu een schoon nieuw punt aangemaakt zodat je niet herbesmet raken kan.
  • Ik heb hetzelfde probleem, maar als een "blonde" :wink: computergebruikster op leeftijd, ben ik er niet zeker van of ik het bovenstaande zomaar kan volgen. Dus als het niet teveel moeite is graag jullie hulp. bedankt alvast. Trusien

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.