Vraag & Antwoord

Beveiliging & privacy

Trojan vundo HELP!

7 antwoorden
  • Ik heb sinds kort het trojan VUNDO. Ik heb gezien op dit forum dat dit probleem al is behandeld en dat voor persoonlijk advies je een apart topic moet openen. Ik heb gezien dat je vundofix en hijachthis moet runnen. Dit heb ik gedaan en de log hieronder neer gezet. Is iemand die mij hiermee verder kan helpen? VundoFix V6.5.7 Checking Java version... Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Java version is 1.5.0.11 Scan started at 19:59:23 8-8-2007 Listing files found while scanning.... C:\windows\system32\bqdwplxi.ini C:\WINDOWS\system32\ddcyw.dll C:\windows\system32\ixlpwdqb.dll C:\windows\system32\ljjhihf.dll C:\WINDOWS\system32\ptyobqjy.dll C:\WINDOWS\system32\uwstabey.dll C:\WINDOWS\system32\wvurron.dll C:\WINDOWS\system32\wycdd.bak1 C:\WINDOWS\system32\wycdd.bak2 C:\WINDOWS\system32\wycdd.ini C:\WINDOWS\system32\wycdd.ini2 C:\WINDOWS\system32\wycdd.tmp C:\windows\system32\yebatswu.ini Beginning removal... Attempting to delete C:\windows\system32\bqdwplxi.ini C:\windows\system32\bqdwplxi.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ddcyw.dll C:\WINDOWS\system32\ddcyw.dll Could not be deleted. Attempting to delete C:\windows\system32\ixlpwdqb.dll C:\windows\system32\ixlpwdqb.dll Has been deleted! Attempting to delete C:\windows\system32\ljjhihf.dll C:\windows\system32\ljjhihf.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\ptyobqjy.dll C:\WINDOWS\system32\ptyobqjy.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\uwstabey.dll C:\WINDOWS\system32\uwstabey.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\wvurron.dll C:\WINDOWS\system32\wvurron.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\wycdd.bak1 C:\WINDOWS\system32\wycdd.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\wycdd.bak2 C:\WINDOWS\system32\wycdd.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\wycdd.ini C:\WINDOWS\system32\wycdd.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\wycdd.ini2 C:\WINDOWS\system32\wycdd.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\wycdd.tmp C:\WINDOWS\system32\wycdd.tmp Has been deleted! Attempting to delete C:\windows\system32\yebatswu.ini C:\windows\system32\yebatswu.ini Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.5.7 Checking Java version... Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Java version is 1.5.0.11 Scan started at 20:04:38 8-8-2007 Listing files found while scanning.... C:\windows\system32\uwstabey.dll C:\windows\system32\wvurron.dll Beginning removal... Attempting to delete C:\windows\system32\uwstabey.dll C:\windows\system32\uwstabey.dll Has been deleted! Attempting to delete C:\windows\system32\wvurron.dll C:\windows\system32\wvurron.dll Has been deleted! Performing Repairs to the registry. Done! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:12:25, on 8-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe D:\Programs\Lavasoft\aawservice.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\nlsjpdhp.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Generic\Seticon.exe C:\WINDOWS\system32\ezSP_Px.exe D:\Programs\DAEMON Tools\daemon.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\WINDOWS\system32\wuauclt.exe D:\Programs\Hijack This\HijackThis.exe C:\WINDOWS\system32\rundll32.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ubvu.vu.nl/ubvu.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programs\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "D:\Programs\Norton 2007\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\bnsktkxa.dll",forkonce O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: MyCom - {8B57C970-65FF-4BE6-8DEA-4563A3B3E1B4} - http://www.mycom.nl (file missing) (HKCU) O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106079887734 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp08.photoprintit.de/microsite/defaults/activex/IPSUploader.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/site/xupload/XUpload.ocx O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programs\Lavasoft\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: DomainService - - C:\WINDOWS\system32\nlsjpdhp.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Programs\Norton 2007\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 9375 bytes
  • Download [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b:01b47b4f94]Combofix[/b:01b47b4f94][/url] naar je Bureaublad.[list:01b47b4f94] Dubbelklik op [b:01b47b4f94]Combofix.exe[/b:01b47b4f94] Volg de instructies, aanvaard de disclaimer door [b:01b47b4f94]1[/b:01b47b4f94] (continue) te typen. Tijdens het runnen van de fix, [b:01b47b4f94]NIET[/b:01b47b4f94] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:01b47b4f94] Wanneer de fix voltooid is en na herstart, zal de log [b:01b47b4f94]combofix.txt[/b:01b47b4f94] openen. [i:01b47b4f94]Plaats dit log in je volgende post tesamen met een nieuw HijackThis log.[/i:01b47b4f94] Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren. Start Hijackthis op en kies voor 'Do a system scan only' Selecteer alleen de items die hieronder zijn genoemd: [b:01b47b4f94] O9 - Extra button: MyCom - {8B57C970-65FF-4BE6-8DEA-4563A3B3E1B4} - http://www.mycom.nl (file missing) (HKCU) [/b:01b47b4f94] Klik op 'Fix checked' om de items te verwijderen.
  • Beste mensen ik ben Aad ik kreeg steeds die trojan vundo terug. Steeds moest ik herstarten om hem weg te krijgen maar dat hielp niets. Toen zij iemand tegen mij ga naar systeemherstel en gooi alle herstelpunten eraf en dat heb ik gedaan. Dus dat betekent systeemherstel uitschakelen en opnieuw opstarten dan zijn alle punten weg. En dan weer systeemherstel aanzetten. Komt hij niet meer terug dan een nieuw herstelpunt maken. Ik hoop dat jullie het begrijpen Aad
  • Ik begrijp dat wel Aad maar wat voor antwoord wil je nu hebben?
  • Daar is Aad weer ik, wilde geen antwoord alleen vertellen hoe ik het opgelost hebt en dat jullie er misschien iets zullen hebben. Bij mij komen die trojans niet meer terug de groeten Aad.
  • Waar is het in eerste instantie door verwijderd, deze dingen zitten niet vanzelf in de restore map.
  • Beste mensen ik kon hem wel weg krijgen met vundo vix maar dan kwam hij toch steeds weer teug. Soms wel drie keer op een dag. Toen heb ik zoals ik al zij mijn systeem herstel uit gezet op mijn c schijf. Mijn computer op nieuw opgestart en toen ware alle oude punten weg, En heb toen een nieuw herstel punt gemaakt. Sindsdien is mijn computer schoon Probeer het ook eens Aad.

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.