Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

NTOS.EXE op mijn pc

triplezero
2 antwoorden
  • Hallo,

    ik had vanavond ineens de 'trojan' ntos.exe op mijn pc. Dit omdat ik per ongeluk een link opende in IE… :(

    Laat ik nou meteen gezeur hebben :)

    Aan de hand van dit forum diverse aanwijzigingen opgevolgd. Ik moet zeggen dat werkte allemaal perfect! Voor zover ik kan zien is alles weer goed, zou iemand voor de zekerheid onderstaande logs willen controleren?

    Bvd!

    ———————————-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:20:20, on 8-12-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    c:\windows\system32
    otepad.exe
    c:\windows\soundman.exe
    c:\program files\eset
    od32kui.exe
    i:\progjes\transparant\glass2k.exe
    c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe
    c:\windows\system32\ctfmon.exe
    c:\program files\microsoft activesync\wcescomm.exe
    i:\progjes\statbar\statbar.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
    c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    c:\program files\logitech\setpoint\setpoint.exe
    c:\program files\ideazon\zengine\zboard.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    c:\program files\common files\logitech\khal\khalmnpr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    i:\progjes\hijackthis\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Glass2k] I:\Progjes\Transparant\Glass2k.exe
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - HKCU\..\Run: [StatBar] I:\Progjes\statbar\StatBar.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: ZEngine.lnk = C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684310328
    O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/nl/check/qdiagh.cab?326
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: klpsrvc - Unknown owner - C:\Program Files\USB LOCK AP\klpsrvc.exe (file missing)
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


    End of file - 5470 bytes

    ———————-
    SDFix: Version 1.117

    Run by Administrator on za 08-12-2007 at 22:50

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\SDFix\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\system32
    tos.exe - Deleted
    C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
    C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



    Folder C:\WINDOWS\system32\wsnpoem - Removed

    Removing Temp Files…

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32
    toskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-08 22:57:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40]
    "ujdew"=hex:20,02,00,00,8a,7b,dc,b6,a4,f6,ef,b9,ee,31,1f,f8,f1,78,df,ba,87,..
    "ljej40"=hex:99,23,48,ac,41,6c,09,8c,c1,35,c8,ce,16,97,3d,de,46,d7,8a,ae,9d,..
    "ljej41"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej42"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej43"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej44"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..

    scanning hidden registry entries …

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
    "DisplayName"="Alcohol 120%"

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "G:\\games\\EA GAMES\\MOHAA\\MOHAA.exe"="G:\\games\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
    "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

    Remaining Files:
    —————

    File Backups: - C:\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Mon 1 Oct 2007 23 A.SH. — "C:\WINDOWS\system32\affefeae_r.dll"
    Tue 29 Nov 2005 4,348 ..SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sun 30 Sep 2007 262,144 A..H. — "C:\Documents and Settings\pokey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.bak_jv16pt"
    Wed 21 Sep 2005 8 A..H. — "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

    Finished!

    —————————

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-08 22:57:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40]
    "ujdew"=hex:20,02,00,00,8a,7b,dc,b6,a4,f6,ef,b9,ee,31,1f,f8,f1,78,df,ba,87,..
    "ljej40"=hex:99,23,48,ac,41,6c,09,8c,c1,35,c8,ce,16,97,3d,de,46,d7,8a,ae,9d,..
    "ljej41"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej42"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej43"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..
    "ljej44"=hex:2a,23,48,ac,39,6c,09,8c,c0,35,c9,ce,17,97,3d,de,46,d7,8a,ae,25,..

    scanning hidden registry entries …

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
    "DisplayName"="Alcohol 120%"

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0






  • SDfix heefft heeft de infectie opgeruimd.
    Logjes zien er goed.
    Update je antivirusprogramma en voer een volledige systeemscan uit.
    Wordt er nog wat gevonden, dan laat je dit verwijderen.

    Blijken er nog problemen te zijn, dan meld je dit.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.