Vraag & Antwoord

Beveiliging & privacy

Problemen met wininet.dll

15 antwoorden
  • Goeiedag allemaal, Ik heb sinds enkele weken problemen met diverse applicaties die gebruik maken van wininet.dll. Als ik bijv Outlook of Word een kleine minuut open heb staan gaat mijn CPU naar 100%. Via processXP ben ik er achter gekomen dat WININET.DLL!InternetCrackUrlA het probleem veroorzaakt. Als ik dit process kill dan gaat mijn CPU weer naar beneden. Is dit een soort virus?? Het bestand vervangen door een 'verse' dll gaat niet omdat deze in gebruik is (hetzelfde in safemode). Kan iemand mij helpen??? Als ik een HijackThis logje moet plaatsen laat het mij dan weten! Alvast bedankt...
  • Hier wat info: http://www.processlibrary.com/directory/?files=WININET.DLL Plaats maar even een hijackthis log, dat is toch de aangewezen weg.
  • Bedankt voor de snelle reactie, bij deze de log van HijackThis; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:57:03, on 2-3-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE c:\windows\soundman.exe c:\program files\eset\nod32kui.exe i:\progjes\transparant\glass2k.exe c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe c:\windows\system32\ctfmon.exe c:\program files\microsoft activesync\wcescomm.exe i:\progjes\statbar\statbar.exe c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe c:\program files\logitech\setpoint\setpoint.exe c:\program files\ideazon\zengine\zboard.exe c:\program files\common files\logitech\khal\khalmnpr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe i:\progjes\processexplorer\procexp.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe c:\program files\mozilla firefox\firefox.exe i:\progjes\hijackthis\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Glass2k] I:\Progjes\Transparant\Glass2k.exe O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" O4 - HKCU\..\Run: [StatBar] I:\Progjes\statbar\StatBar.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ZEngine.lnk = C:\Program Files\Ideazon\ZEngine\Zboard.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684310328 O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/nl/check/qdiagh.cab?326 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: klpsrvc - Unknown owner - C:\Program Files\USB LOCK AP\klpsrvc.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • Kan iemand checken of bovenstaande log fouten bevat? Bvd...
  • Niet zo snel bumpen svp! Volg [color=blue:3bd8ec098f][url=http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden]deze[/url][/color:3bd8ec098f] instructies om [b:3bd8ec098f]ComboFix[/b:3bd8ec098f] te downloaden: [list:3bd8ec098f] Voer de instructies op de BleepingComputer pagina uit, [i:3bd8ec098f]inclusief het installeren van de XP Recovery Console[/i:3bd8ec098f] Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate. OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:3bd8ec098f]download Combofix opnieuw.[/b:3bd8ec098f] Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen! [list:3bd8ec098f] Dubbelklik op [b:3bd8ec098f]Combofix.exe[/b:3bd8ec098f] Tijdens het runnen van de fix, [b:3bd8ec098f]NIET[/b:3bd8ec098f] in het venster klikken, want dit zal je pc doen vasthangen. Wanneer de fix voltooid is en na herstart, zal de log [b:3bd8ec098f]Combofix.txt[/b:3bd8ec098f] openen. [/list:u:3bd8ec098f] [i:3bd8ec098f]Plaats deze log in je volgende post, samen met een vers HijackThis logje.[/i:3bd8ec098f][/list:u:3bd8ec098f] Pim
  • [b:157266d956]Was niet de bedoeling om te 'bumpen'... sry Hier de beide logs;[/b:157266d956] ComboFix 08-03-04.2 - pokey 2008-03-04 16:05:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.629 [GMT 1:00] Gestart vanuit: c:\documents and settings\pokey\bureaublad\combofix.exe . (((((((((((((((((((( Bestanden Gemaakt van 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))) . 2008-03-03 14:40 . 2008-03-03 14:40 <DIR> d-------- C:\Program Files\Belastingdienst 2008-03-03 08:34 . 2008-03-03 08:34 <DIR> d-------- C:\Program Files\RescuePRO™ 2008-03-03 08:34 . 2008-03-03 08:34 286,720 --a------ C:\WINDOWS\iun507.exe 2008-03-02 19:54 . 2008-03-02 19:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-02 19:54 . 2008-03-02 19:54 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-02 15:02 . 2008-03-02 15:02 <DIR> d-------- C:\Program Files\Uniblue 2008-03-02 15:02 . 2008-03-02 15:02 <DIR> d-------- C:\Documents and Settings\pokey\Application Data\Uniblue 2008-03-02 09:09 . 2008-03-02 09:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch 2008-02-21 14:02 . 2008-02-21 14:03 <DIR> d-------- C:\Program Files\FTDv3.8 2008-02-21 13:53 . 2008-02-21 13:55 <DIR> d-------- C:\Program Files\CleanUp! 2008-02-21 04:07 . 2008-03-03 21:02 4 --a------ C:\WINDOWS\system32\blck.wav 2008-02-06 21:18 . 2008-02-06 21:18 <DIR> d-------- C:\Program Files\Common Files\xing shared . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-03 20:05 --------- d-----w C:\Program Files\Trillian 2008-03-03 17:17 --------- d-----w C:\Program Files\Easy CD-DA Extractor 8 2008-03-03 08:15 462,848 ----a-w C:\WINDOWS\ExInst1.exe 2008-02-08 07:44 --------- d-----w C:\Program Files\ESET 2008-02-06 20:18 --------- d-----w C:\Program Files\Real 2008-02-06 20:18 --------- d-----w C:\Program Files\Common Files\Real 2008-01-24 20:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-18 20:15 --------- d-----w C:\Program Files\mIRC 2008-01-17 14:59 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2008-01-15 10:05 --------- d-----w C:\Program Files\UltraISO 2008-01-15 10:05 --------- d-----w C:\Program Files\Common Files\EZB Systems 2007-12-22 07:21 339,328 ----a-w C:\WINDOWS\system32\_AxShlEx.dll 2007-12-10 20:09 673,792 ------w C:\WINDOWS\system32\wininet.dll 2007-10-23 14:39 89,168 ----a-w C:\Documents and Settings\pokey\Application Data\GDIPFONTCACHEV1.DAT 2007-07-05 17:52 8 ----a-w C:\Documents and Settings\pokey\Application Data\usb.dat.bin 2006-08-09 12:13 4,233 ----a-w C:\Program Files\INSTALL.LOG 2005-07-26 11:10 550,419 ----a-w C:\Program Files\Pocket Mechanic.2577.CAB 2005-07-26 11:10 215 ----a-w C:\Program Files\Pocket Mechanic.INI 2003-10-17 12:54 1,078 ----a-w C:\Program Files\Pocket Mechanic.ico 2001-09-28 15:00 164,864 ----a-w C:\Program Files\UNWISE.EXE 2007-10-01 22:01 23 --sha-w C:\WINDOWS\system32\affefeae_r.dll . ------- Sigcheck ------- d0d7296d2cfaafcf1af55f15748b0303 C:\WINDOWS\system32\wininet.dll ----a-w 660,992 2005-01-27 17:13:26 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ----a-w 662,016 2005-05-02 20:59:25 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ----a-w 660,992 2005-03-10 07:50:14 C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ----a-w 663,552 2005-09-02 23:55:55 C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll ----a-w 662,528 2005-07-03 02:11:48 C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll ----a-w 664,576 2005-10-21 03:40:44 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll -c----w 659,968 2004-09-29 18:50:01 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll -c----w 659,968 2005-03-10 08:06:47 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll -c----w 659,968 2005-01-27 17:14:34 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll -c----w 661,504 2005-07-03 02:17:09 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll -c----w 660,992 2005-05-02 20:57:50 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll -c----w 661,504 2005-09-02 23:55:08 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll ------w 673,792 2007-12-10 20:09:40 C:\WINDOWS\system32\wininet.dll -c--a-w 673,792 2007-12-10 20:09:40 C:\WINDOWS\system32\dllcache\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360] "H/PC Connection Agent"="c:\program files\microsoft activesync\wcescomm.exe" [2005-11-15 18:44 1200128] "Start WingMan Profiler"="" [] "StatBar"="I:\Progjes\statbar\StatBar.exe" [2003-07-25 01:40 335872] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 19:05 2532576] "SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-10-22 22:24 917504] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 28160 C:\WINDOWS\KHALMNPR.Exe] "Glass2k"="I:\Progjes\Transparant\Glass2k.exe" [2005-08-08 09:20 56325] "AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 11:12 517632] "QuickTime Task"="c:\program files\quicktime\qttask.exe" [2007-10-03 10:24 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360] C:\Documents and Settings\dazed\Programma's\Opstarten\ ZEngine.lnk - C:\Program Files\Ideazon\ZEngine\Zboard.exe [2007-04-03 18:46:52 57344] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 00:17:18 147456] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-01-04 17:42:34 450560] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^InterVideo WinCinema Manager.lnk] backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^dazed^Programma's^Opstarten^Adobe Gamma.lnk] backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON] --a------ 2005-05-25 11:12 517632 C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zboard] --a------ 2007-04-03 18:46 57344 C:\Program Files\Ideazon\ZEngine\Zboard.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Avant Browser\\avant.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2000-09-07 09:00] R3 Alpham1;Ideazon Merc USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-03-20 09:49] R3 Alpham2;Ideazon Merc MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 09:49] S2 klpsrvc;klpsrvc;C:\Program Files\USB LOCK AP\klpsrvc.exe [] S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-03-01 04:22] S3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 12:55] S3 hcdriver;EHCI;C:\WINDOWS\system32\Drivers\hcdriver.sys [2003-04-25 21:16] S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 18:23] S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 18:23] S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 18:23] S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 18:23] S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-11-10 18:23] S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-11-10 18:23] S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-11-10 18:24] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01] . Inhoud van de 'Gedeelde Taken' map "2005-12-22 19:54:22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1127308046.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-03-03 08:00:00 C:\WINDOWS\Tasks\system32.job" - C:\WINDOWS\system32 . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-04 16:06:38 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant] "ImagePath"="" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\Program Files\Eset\pr_imon.dll . Voltooingstijd: 2008-03-04 16:07:09 ComboFix2.txt 2007-12-11 16:14:39 --------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:05:17, on 4-3-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\windows\soundman.exe i:\progjes\transparant\glass2k.exe c:\windows\system32\ctfmon.exe c:\program files\microsoft activesync\wcescomm.exe i:\progjes\statbar\statbar.exe c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe C:\PROGRA~1\MICROS~4\rapimgr.exe c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe c:\program files\logitech\setpoint\setpoint.exe c:\program files\ideazon\zengine\zboard.exe c:\program files\common files\logitech\khal\khalmnpr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\explorer.exe c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe c:\windows\system32\notepad.exe c:\program files\mozilla firefox\firefox.exe i:\progjes\hijackthis\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Glass2k] I:\Progjes\Transparant\Glass2k.exe O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" O4 - HKCU\..\Run: [StatBar] I:\Progjes\statbar\StatBar.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ZEngine.lnk = C:\Program Files\Ideazon\ZEngine\Zboard.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684310328 O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/nl/check/qdiagh.cab?326 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: klpsrvc - Unknown owner - C:\Program Files\USB LOCK AP\klpsrvc.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 6085 bytes[b:157266d956][/b:157266d956][b:157266d956][/b:157266d956]
  • Hopelijk 'bump' ik nu niet... ik heb een weekje gewacht :wink: Zou iemand aub bovenstaande logs kunnen checken op 'fouten'? Bvd!
  • Heel goed dat je bumpt, ik had hem namelijk over het hoofd gezien :oops: Deinstalleer Combofix: Ga naar start --> uitvoeren en typ daar: [b:6c483933e7]combofix /u[/b:6c483933e7] Combofix wordt nu verwijderd en er wordt een nieuw herstelpunt aangemaakt. De Java software op je computer is verouderd. Oudere versies hebben lekken die malware de kans geeft om zich te installeren. Voer eerst onderstaane stappen uit om Java te deïnstalleren en de nieuwste versie te installeren: Download [url=http://java.sun.com/javase/downloads/index.jsp][b:6c483933e7][color=blue:6c483933e7]Java Runtime Environment (JRE) 6u5[/color:6c483933e7][/b:6c483933e7][/url]. [list:6c483933e7][*:6c483933e7]Scroll omlaag naar : "[i:6c483933e7]Java Runtime Environment (JRE) 6u5[/i:6c483933e7]". [*:6c483933e7]Klik op de "[b:6c483933e7]Download[/b:6c483933e7]" knop aan de rechterkant. [*:6c483933e7]In het uitklapmenu rechts naast [b:6c483933e7]Platform[/b:6c483933e7], selecteer [color=blue:6c483933e7][b:6c483933e7]Windows[/b:6c483933e7][/color:6c483933e7] [*:6c483933e7]Vink aan: "[i:6c483933e7]I agree to the Java SE Runtime Environment 6 License Agreement[/i:6c483933e7]", en klik op [b:6c483933e7]Continue[/b:6c483933e7]. [*:6c483933e7]De pagina zal herladen. [*:6c483933e7]Klik op de [b:6c483933e7]jre-6u5-windows-i586-p.exe[/b:6c483933e7] link ONDER [b:6c483933e7]Windows Offline Installation[/b:6c483933e7] en bewaar het naar je Bureaublad. [*:6c483933e7]Sluit alle programma's die eventueel open zijn - Zeker je web browser! [*:6c483933e7]Ga dan naar [b:6c483933e7]Start[/b:6c483933e7] > [b:6c483933e7]Configuratiescherm[/b:6c483933e7] > [b:6c483933e7]Software[/b:6c483933e7] en verwijder alle oudere versies van Java uit de Softwarelijst. [*:6c483933e7]Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam. [*:6c483933e7]Klik dan op [b:6c483933e7]Verwijderen[/b:6c483933e7] of op de [b:6c483933e7]Wijzig/Verwijder[/b:6c483933e7] knop. [*:6c483933e7]Herhaal dit tot alle oudere versies verdwenen zijn. [*:6c483933e7]Na het verwijderen van alle oudere versies, [b:6c483933e7]herstart[/b:6c483933e7] je pc. [*:6c483933e7]Dubbelklik vervolgens op [b:6c483933e7]jre-6u5-windows-i586-p.exe[/b:6c483933e7] op je Bureaublad om de nieuwste versie van Java te installeren.[/list:u:6c483933e7] Heb je nog problemen?
  • Dat kan natuurlijk gebeuren! :) Ik moet zeggen dat ik na de eerste keer combofix 'draaien' al geen problemen meer had met mijn CPU gebruik. Ik heb nu de oude java software verwijderd en de nieuwe geinstaleerd. De pc lijkt nog steeds goed te werken. Hieronder nog eenmaal een verse Hijackthis logfile; ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:03:47, on 11-3-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE c:\windows\soundman.exe c:\program files\eset\nod32kui.exe i:\progjes\transparant\glass2k.exe c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe c:\windows\system32\ctfmon.exe c:\program files\microsoft activesync\wcescomm.exe i:\progjes\statbar\statbar.exe c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe c:\program files\logitech\setpoint\setpoint.exe c:\program files\ideazon\zengine\zboard.exe C:\WINDOWS\system32\wscntfy.exe c:\program files\common files\logitech\khal\khalmnpr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\msiexec.exe c:\program files\mozilla firefox\firefox.exe i:\progjes\hijackthis\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Glass2k] I:\Progjes\Transparant\Glass2k.exe O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" O4 - HKCU\..\Run: [StatBar] i:\progjes\statbar\statbar.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: ZEngine.lnk = C:\Program Files\Ideazon\ZEngine\Zboard.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684310328 O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) - O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/nl/check/qdiagh.cab?326 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: klpsrvc - Unknown owner - C:\Program Files\USB LOCK AP\klpsrvc.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 6284 bytes ---------------------------------------------------- Zijn er nog vreemde zaken te zien? Greetz...
  • Ziet er prima uit hoor. Lees om herhaling te voorkomen deze beveiligingstips nog eens door: http://www.jawwi.nl/nederlands/tips/beveiligen/beveiligen.html
  • Beter dat de log er goed uit ziet :) Ik draai NOD32 als AV, Lavasoft ad-aware, en sygate firewall. Ik las op de pagina van de link die je gaf dat sygate niet meer word ondersteund. Is dit ook een verhoogd risico? zo ja, wat is een goed alternatief (liefst gratis) en zijn er programma's die ik aan deze drie moet toevoegen voor optimale beveiliging?
  • Je zou een andere kunnen kiezen uit die lijst, persoonlijk ben ik wel fan van Kerio, maar dat is ieder zijn keus.
  • Ik ga wel even het één en ander uitzoeken wat betreft Firewall, aanvullende beveiliging heeft dus geen echte toegevoegde waarde? Groet
  • Nee, voor de rest ben je prima beveiligd. :)
  • Gelukkig maar :) In ieder geval weer bedankt voor de geboden hulp en adviezen!

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.