Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Hardnekkige Trojan

pimvandenderen
3 antwoorden
  • Gegroet, een tijdje terug (lees:3 dagen) heb ik een dubieus programma geopend waarbij ik niet zo over heb nagedacht over de gevolgen, sindsdien is het erg slecht gesteld met mijn computer.

    Er komen meldingen vanuit mijn taakbalk dat mijn PC geinfecteerd is, er zijn casino/dating/etc icoontjes op mijn Bureaublad, en ik krijg telkens foutmeldingen van iexplore.exe(terwijl ik IE echt nooit gebruik). Bovendien kan ik op bijna geen enkele site meer komen zonder constant op F5 te drukken, en al mijn bookmarks zijn ook verdwenen (In Firefox dus)

    Ik heb zelf al erg veel geprobeerd; msconfig, ad-aware, virusscan, Trojanhunter, de bestanden die in Taskmanager stonden zelf verwijderen, allemaal zonder effect, de bestanden blijven terugkomen. Ik werk met Windows XP SP1.

    Hierbij een HJTL:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:18:30, on 3-12-2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TrojanHunter 5.0\THGuard.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Xfire\xfire.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\TEMP\win95.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\Audacity\audacity.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Ableton\Live 6.0.9\Program\Live 6.0.9.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Alex\LOCALS~1\Temp\Rar$EX00.687\HiJackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32
    tos.exe,
    O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {CE92CB06-A5D2-46B7-88FC-BB15CF231C21} - C:\WINDOWS\System32\cfgmgr3.dll
    O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v4.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
    O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
    O4 - HKLM\..\Run: [dipsritc] rundll32.exe "C:\Program Files\dipsritc\rwdklshg.dll",Init
    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvzam.dll,startup
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win95.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Bhmm] "C:\WINDOWS\System32\RACLE~1
    tvdm.exe" -vt yazb
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: findfast.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O4 - Global Startup: autorun.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7E92B53B-AC91-430B-B398-A607B3757393}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O17 - HKLM\System\CS1\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O17 - HKLM\System\CS2\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: wingkb32 - C:\WINDOWS\SYSTEM32\wingkb32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)


    End of file - 5669 bytes


    Ik hoop dat iemand mij uit deze benarde situatie kan helpen. ;)

    Groeten,

    Alexander
  • Hoi Alexander,

    Enige reden waarom je systeem geen essentiele servicespacks voor Windows bevat?
    Je hebt geen eens service pack 1. Ga nu nog niet updaten maar doe dit pas als je
    systeem weer helemaal malware vrij is!

    1. Je draait Hijackthis vanuit een temp map, op deze manier geen backups erg makkelijk verloren.
    Pak Hijackthis uit naar een eigen map, bijvoorbeeld C:\Program Files\[b:92936593f9]Hijackthis[/b:92936593f9]

    2. Download SDFix naar je [b:92936593f9]Bureaublad[/b:92936593f9].

    Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:92936593f9]SDFix[/u:92936593f9].
    Start je computer op in veilige modus.
    Open de map SDfix en dubbelklik op [b:92936593f9]runthis.bat[/b:92936593f9] om de tool te starten.
    Computer laten herstarten wanneer dit gevraagd wordt.
    SDfix loopt verder en opent na afloop een rapportje!
    Post dit rapport in je volgende antwoord.

    3. Download [b:92936593f9]Combofix[/b:92936593f9] naar je [b:92936593f9]bureaublad[/b:92936593f9]

    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:92936593f9]download Combofix opnieuw[/b:92936593f9]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

    Dubbelklik op [u:92936593f9]combofix.exe[/u:92936593f9]
    Kies voor "Continue" door [b:92936593f9]1[/b:92936593f9] te typen gevolgd door [b:92936593f9]ENTER[/b:92936593f9].
    Tijdens het runnen van de fix, [b:92936593f9]NIET[/b:92936593f9] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:92936593f9]combofix.txt[/b:92936593f9] openen.
    [i:92936593f9]Plaats in je volgende antwoord het logje van combofix (combofix.txt[/i:92936593f9]) tesamen met een vers Hijackthis log.

    Post nu het logje van SDfix, Combofix en een vers Hijackthis logje in je volgende bericht.

    Succes!
    Pim :)
  • Ok, hier een paar logs. Noot; als ik nu in normale modus opstart blokkeert de hele PC :?

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-03 22:40:18
    Windows 5.1.2600 NTFS

    detected NTDLL code modification:
    ZwQuerySystemInformation

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s1"=dword:2df9c43f
    "s2"=dword:110480d0
    "h0"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
    "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
    "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
    "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
    "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
    "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
    "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..

    scanning hidden registry entries …

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:58:15, on 3-12-2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Alex\Bureaublad\HiJackThis.exe

    O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {CE92CB06-A5D2-46B7-88FC-BB15CF231C21} - C:\WINDOWS\System32\cfgmgr3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [Bhmm] "C:\WINDOWS\System32\RACLE~1
    tvdm.exe" -vt yazb
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7E92B53B-AC91-430B-B398-A607B3757393}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O17 - HKLM\System\CS1\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O17 - HKLM\System\CS2\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)


    End of file - 4327 bytes


    SDFix: Version 1.116

    Run by Alex on ma 03-12-2007 at 21:56

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\SDFX\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
    C:\Program Files\E404 Helper\e404.v4.dll - Deleted
    C:\Program Files\Common Files\Yazzle1162OinAdmin.exe - Deleted
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe - Deleted
    C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\autorun.exe - Deleted
    C:\Documents and Settings\Alex\Menu Start\Programma's\Opstarten\findfast.exe - Deleted
    C:\Program Files\spoolsv.exe - Deleted
    C:\Documents and Settings\Alex\~tmp1174.exe - Deleted
    C:\WINDOWS\avp.exe - Deleted
    C:\WINDOWS\Casino.ico - Deleted
    C:\WINDOWS\Free Online Dating.ico - Deleted
    C:\WINDOWS\mgrs.exe - Deleted
    C:\WINDOWS\Spyware Remover.ico - Deleted
    C:\WINDOWS\system32\Kernel32.exe - Deleted
    C:\WINDOWS\system32\printer.exe - Deleted
    C:\WINDOWS\system32\spoolvs.exe - Deleted
    C:\WINDOWS\xpupdate.exe - Deleted
    C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
    C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



    Folder C:\Program Files\E404 Helper - Removed
    Folder C:\WINDOWS\system32\wsnpoem - Removed

    Removing Temp Files…

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32
    toskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-03 22:40:18
    Windows 5.1.2600 NTFS

    detected NTDLL code modification:
    ZwQuerySystemInformation

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s1"=dword:2df9c43f
    "s2"=dword:110480d0
    "h0"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
    "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
    "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
    "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
    "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
    "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
    "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..

    scanning hidden registry entries …

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe"="C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
    "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\TEMP\\win56.exe"="C:\\WINDOWS\\TEMP\\win56.exe:*:Enabled:win56"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe"="C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
    "C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
    "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

    Remaining Files:
    —————

    File Backups: - C:\SDFX\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Sat 20 Oct 2007 5,903,928 A..H. — "C:\Program Files\Picasa2\setup.exe"
    Tue 23 Nov 2004 303,104 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44.dll"
    Tue 23 Nov 2004 325,344 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44.sys"
    Tue 23 Nov 2004 139,264 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44USBPanel.exe"
    Tue 23 Nov 2004 23,360 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\pgusbmm3.sys"
    Wed 24 Nov 2004 299,008 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Setup98ME.exe"
    Wed 24 Nov 2004 315,392 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\SetupXP2k.exe"
    Thu 22 Nov 2007 8,194,048 …H. — "C:\Documents and Settings\Alex\Bureaublad\School\MCV\~WRL0005.tmp"
    Sun 2 Dec 2007 12,254,720 …H. — "C:\Documents and Settings\Alex\Bureaublad\School\MCV\~WRL2853.tmp"

    Finished!


    Hoop dat je hier wat mee kan :D

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.