Vraag & Antwoord

Beveiliging & privacy

smart antivirus 2009

8 antwoorden
  • beste mensen, helaas heb ik ook het smart antivirus op mijn computer staan, ik heb alles geprobeert maar ik kan hem niet weg krijgen. Zou een van jullie naar mijn hijackthis file willen kijken wat ik kan hier helaas niet wijs uit worden. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:10:51, on 14-10-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NDAS\System\ndassvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {B2ADB537-AFF6-4D72-BA77-DA012A6FDEA6} - (no file) O3 - Toolbar: (no name) - {E01D0ACE-25AC-4353-87EF-6CB2B368E3C7} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: sSmNHyYo - sSmNHyYo.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe -- End of file - 3070 bytes met vriendelijk groeten, jeroen schippers
  • Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd: [b:d5734e44ba]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {B2ADB537-AFF6-4D72-BA77-DA012A6FDEA6} - (no file) O3 - Toolbar: (no name) - {E01D0ACE-25AC-4353-87EF-6CB2B368E3C7} - (no file) O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O20 - Winlogon Notify: sSmNHyYo - sSmNHyYo.dll (file missing)[/b:d5734e44ba] Klik op 'Fix checked' om de items te verwijderen. Download [b:d5734e44ba]MBAM (Malwarebytes' Anti-Malware)[/b:d5734e44ba] hier : http://www.besttechie.net/tools/mbam-setup.exe Dubbelklik op mbam-setup.exe om het programma te installeren. Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien". Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden. Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan. Het scannen kan een tijdje duren, dus wees geduldig. Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien. Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde. Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder) De log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in MBAM. Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de computer opnieuw op te starten... dus sta toe dat MBAM de computer opnieuw opstart. Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.
  • Hartstikke bedankt voor uw reactie. dit zijn de uitslagen, maar helaas blijft het virus terug komen. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:39: VIRUS ALERT!, on 15-10-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NDAS\System\ndassvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: QXK Olive - {9D16A7EE-E00A-4BFA-A976-308772A47699} - C:\WINDOWS\grfxbanogtl.dll O3 - Toolbar: rosqxvmn - {7C554665-B775-4305-BAE6-E310B361F216} - C:\WINDOWS\rosqxvmn.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKCU\..\Run: [Player] C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: ngwstxfd - {2DA4B0CC-8AB8-4981-9A15-559565FF7474} - C:\WINDOWS\ngwstxfd.dll O21 - SSODL: qrbgltos - {86FB5B86-C9B6-467D-8EFD-22DB04248C6D} - C:\WINDOWS\qrbgltos.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Malwarebytes' Anti-Malware 1.28 Database versie: 1274 Windows 5.1.2600 Service Pack 2 15-10-2008 21:29:22 mbam-log-2008-10-15 (21-29-22).txt Scan type: Snelle Scan Objecten gescand: 41783 Verstreken tijd: 1 minute(s), 23 second(s) Geheugenprocessen geïnfecteerd: 2 Geheugenmodulen geïnfecteerd: 0 Registersleutels geïnfecteerd: 12 Registerwaarden geïnfecteerd: 4 Registerdata bestanden geïnfecteerd: 0 Mappen geïnfecteerd: 3 Bestanden geïnfecteerd: 14 Geheugenprocessen geïnfecteerd: C:\Documents and Settings\Fam. Schippers\Local Settings\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> Unloaded process successfully. C:\Documents and Settings\Fam. Schippers\Local Settings\Temp\pwrmgr.exe (Rogue.Installer) -> Unloaded process successfully. Geheugenmodulen geïnfecteerd: (Geen kwaadaardige items gevonden) Registersleutels geïnfecteerd: HKEY_CLASSES_ROOT\TypeLib\{add2e186-bb87-4453-97c5-c3db33f1b28a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{991c0136-81e2-4aa6-9e64-fcd38d02ca2a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7c554665-b775-4305-bae6-e310b361f216} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{1f62619c-16d1-45ef-bae0-9ddf1b4e2a2d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{22eb5fb3-22a5-43b2-b08c-5aea7070e1d8} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fbad69c2-cfec-437a-9c20-99c0fbafea26} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{81dad4db-bfa2-4e0a-a5f0-971f1c1918f6} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c9595659-a3df-4597-bb0a-9a8353b1146c} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d820ee46-f740-4992-965c-596e5ddb7d71} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d16a7ee-e00a-4bfa-a976-308772a47699} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9d16a7ee-e00a-4bfa-a976-308772a47699} (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerwaarden geïnfecteerd: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smart antivirus-2009.exe (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7c554665-b775-4305-bae6-e310b361f216} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qrbgltos (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ngwstxfd (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registerdata bestanden geïnfecteerd: (Geen kwaadaardige items gevonden) m.v.g jeroen schippers
  • Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd: [b:ef4db834a9]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 O2 - BHO: QXK Olive - {9D16A7EE-E00A-4BFA-A976-308772A47699} - C:\WINDOWS\grfxbanogtl.dll O3 - Toolbar: rosqxvmn - {7C554665-B775-4305-BAE6-E310B361F216} - C:\WINDOWS\rosqxvmn.dll O4 - Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O21 - SSODL: ngwstxfd - {2DA4B0CC-8AB8-4981-9A15-559565FF7474} - C:\WINDOWS\ngwstxfd.dll O21 - SSODL: qrbgltos - {86FB5B86-C9B6-467D-8EFD-22DB04248C6D} - C:\WINDOWS\qrbgltos.dll O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm[/b:ef4db834a9] Klik op 'Fix checked' om de items te verwijderen. Maak dan een nieuw logje met HJT, laat even weten hoe het staat … en dan kijken we weer verder.
  • wederom bedankt voor uu kw reactie. Ik ben er achter gekomen dat onder >start>alle programma's> de programma's rapid antivius en smart antivirus blijven staan ondanks alle scans die ik heb gedaan. Ik kan deze progs niet terug vinden in het configuratiescherm en hierdoor niet verwijderen. dit de nieuwe uitkomst vam hjt Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:12:50, on 17-10-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\xsvmbwnu.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NDAS\System\ndassvc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKCU\..\Run: [Player] C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe O4 - HKCU\..\Run: [EnStr] C:\WINDOWS\system32\xsvmbwnu.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat O20 - Winlogon Notify: efcDTLET - efcDTLET.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 2636 bytes bvd groeten jeroen
  • Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd: [b:d79221959c]O4 - HKCU\..\Run: [EnStr] C:\WINDOWS\system32\xsvmbwnu.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat O20 - Winlogon Notify: efcDTLET - efcDTLET.dll (file missing) O24 - Desktop Component 0: Privacy Protection - (no file)[/b:d79221959c] Klik op 'Fix checked' om de items te verwijderen. Download [b:d79221959c]Combofix[/b:d79221959c] hier : http://download.bleepingcomputer.com/sUBs/ComboFix.exe en zet het op je Bureaublad. Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate. Dubbelklik op Combofix.exe en volg de instructies, aanvaard de disclaimer door y te typen. Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen. Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen. Indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen! Hang het log van Combofix aan je volgende bericht, samen met een nieuw log van HJT.
  • combofix log: ComboFix 08-10-16.08 - Fam. Schippers 2008-10-17 18:43:21.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.715 [GMT 2:00] Gestart vanuit: C:\Documents and Settings\Fam. Schippers\Bureaublad\ComboFix.exe * Nieuw herstelpunt werd aangemaakt [color=RED:27ecb733dd][b:27ecb733dd]WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !![/b:27ecb733dd][/color:27ecb733dd] . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\crc.dat C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe.bak C:\Documents and Settings\Fam. Schippers\Cookies\axer.sys C:\Documents and Settings\Fam. Schippers\Cookies\uzecas.dat C:\WINDOWS\ShellIcon32.dll C:\WINDOWS\system32\dgibsvte.ini C:\WINDOWS\system32\UuFMUFii.ini C:\WINDOWS\system32\UuFMUFii.ini2 ----- BITS: Mogelijk geïnfecteerde sites ----- hxxp://78.157.143.163 hxxp://78.157.143.198 . (((((((((((((((((((( Bestanden Gemaakt van 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))) . 2008-10-17 17:03 . 2008-10-17 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\kpqvgzer 2008-10-15 21:53 . 2008-10-15 21:53 <DIR> d-------- C:\Program Files\TweakNow RegCleaner Std 2008-10-15 21:46 . 2008-10-15 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avgrkhgr 2008-10-15 20:15 . 2008-10-15 20:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-15 20:15 . 2008-10-15 20:15 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\Malwarebytes 2008-10-15 20:15 . 2008-10-15 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-15 20:15 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-15 20:15 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-15 17:18 . 2008-10-15 17:18 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\[u:27ecb733dd]0[/u:27ecb733dd]000005738 2008-10-13 23:36 . 2008-10-15 20:31 <DIR> dr-h----- C:\Documents and Settings\Fam. Schippers\Onlangs geopend 2008-10-13 23:05 . 2008-10-14 20:33 <DIR> d-------- C:\Program Files\Hitman Pro 3 2008-10-13 23:05 . 2008-10-17 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hitman Pro 3 2008-10-13 23:05 . 2008-10-13 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hitman Pro 2008-10-13 22:50 . 2008-10-13 22:50 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-13 21:24 . 2008-10-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\xgbsfkbk 2008-10-13 20:39 . 2008-10-13 20:56 <DIR> d-------- C:\WINDOWS\tmp 2008-10-13 20:31 . 2008-10-13 20:31 <DIR> d-------- C:\Program Files\Lavasoft 2008-10-13 20:31 . 2008-10-13 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-10-13 20:14 . 2008-10-13 20:14 19,793 --a------ C:\Documents and Settings\Fam. Schippers\Application Data\neqyty.scr 2008-10-13 20:14 . 2008-10-13 20:14 19,724 --a------ C:\WINDOWS\system32\olal.dat 2008-10-13 20:14 . 2008-10-13 20:14 18,857 --a------ C:\WINDOWS\ajulebepi.sys 2008-10-13 20:14 . 2008-10-13 20:14 18,743 --a------ C:\Program Files\Common Files\moqyk.bin 2008-10-13 20:14 . 2008-10-13 20:14 16,777 --a------ C:\WINDOWS\giwije.ban 2008-10-13 20:14 . 2008-10-13 20:14 14,988 --a------ C:\Documents and Settings\Fam. Schippers\Application Data\ylyp.exe 2008-10-13 20:14 . 2008-10-13 20:14 13,653 --a------ C:\WINDOWS\bosofogivi.com 2008-10-13 20:14 . 2008-10-13 20:14 12,033 --a------ C:\WINDOWS\vigozo.bin 2008-10-13 20:14 . 2008-10-13 20:14 11,399 --a------ C:\WINDOWS\aduqebe.sys 2008-10-13 19:38 . 2008-10-13 19:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-13 18:07 . 2008-10-13 18:08 98,304 --a------ C:\WINDOWS\DUMP4391.tmp 2008-10-13 18:07 . 2008-10-13 18:09 98,304 --a------ C:\WINDOWS\DUMP4277.tmp 2008-10-13 16:52 . 2008-10-13 17:10 98,304 --a------ C:\WINDOWS\DUMP4390.tmp 2008-10-13 16:52 . 2008-10-13 17:05 98,304 --a------ C:\WINDOWS\DUMP42c5.tmp 2008-10-13 16:52 . 2008-10-13 17:03 98,304 --a------ C:\WINDOWS\DUMP4287.tmp 2008-10-13 16:52 . 2008-10-13 17:06 98,304 --a------ C:\WINDOWS\DUMP4268.tmp 2008-10-13 16:52 . 2008-10-13 17:02 98,304 --a------ C:\WINDOWS\DUMP40d1.tmp 2008-10-12 20:28 . 2008-10-12 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\torqlyvo 2008-10-12 20:23 . 2008-10-12 20:23 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\5 2008-10-11 23:05 . 2008-10-11 23:05 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\ImgBurn 2008-10-11 22:46 . 2008-10-11 22:46 <DIR> d-------- C:\Program Files\ImgBurn 2008-10-11 21:40 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2008-10-11 21:40 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2008-10-11 21:39 . 2008-10-11 21:39 <DIR> d-------- C:\Program Files\Common Files\Ahead 2008-10-11 21:39 . 2008-10-11 21:39 <DIR> d-------- C:\Program Files\Ahead 2008-10-11 21:39 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2008-10-11 21:39 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2008-10-11 21:39 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2008-10-11 21:39 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2008-10-11 21:39 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2008-10-11 21:39 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2008-10-11 20:52 . 2008-10-14 22:28 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\GrabIt 2008-10-11 20:44 . 2008-10-11 20:44 <DIR> d-------- C:\Program Files\QuickPar 2008-10-11 20:25 . 2008-10-13 21:01 <DIR> d-------- C:\Program Files\GrabIt 2008-10-11 20:16 . 2008-10-11 20:17 <DIR> d-------- C:\Program Files\FTDv3.8 2008-10-08 10:57 . 2008-06-22 19:14 3,584 --a------ C:\WINDOWS\system32\bootdelete.exe 2008-10-03 09:45 . 2008-10-03 09:45 <DIR> d-------- C:\Program Files\CCleaner 2008-10-02 17:13 . 2008-10-04 22:58 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\BitTorrent 2008-10-01 19:58 . 2008-10-13 23:24 <DIR> d-------- C:\Program Files\BitTorrent 2008-09-30 20:53 . 2008-10-02 17:03 <DIR> d-------- C:\Documents and Settings\Fam. Schippers\Application Data\FileZilla 2008-09-17 17:15 . 2008-09-17 17:18 <DIR> d-------- C:\Program Files\Virtual Earth 3D 2008-09-17 14:38 . 2008-09-17 14:38 <DIR> d-------- C:\Program Files\SanDisk . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-13 21:24 --------- d-----w C:\Program Files\BitComet 2008-10-13 19:37 --------- d-----w C:\Program Files\X-OOM Media Center for Wii 2008-10-13 18:14 12,862 ----a-w C:\Program Files\Common Files\hefik.lib 2008-10-13 14:51 98,304 ----a-w C:\WINDOWS\DUMP377b.tmp 2008-10-13 14:50 98,304 ----a-w C:\WINDOWS\DUMP34bc.tmp 2008-10-13 11:45 98,304 ----a-w C:\WINDOWS\DUMP37c9.tmp 2008-10-13 11:44 98,304 ----a-w C:\WINDOWS\DUMP37f8.tmp 2008-10-12 18:29 81,984 ----a-w C:\WINDOWS\system32\bdod.bin 2008-10-11 23:42 --------- d-----w C:\Documents and Settings\Fam. Schippers\Application Data\Hamachi 2008-10-01 15:18 --------- d-----w C:\Program Files\Remote Desktop Control 2 2008-09-17 12:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-14 14:34 --------- d-----w C:\Program Files\UltraVnc 2008-09-12 11:22 --------- d-----w C:\Documents and Settings\Fam. Schippers\Application Data\ArcSoft 2008-09-01 19:40 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-09-01 19:40 --------- d-----w C:\Program Files\Hamachi 2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-06-15 C:\WINDOWS\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispSettingPage"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\BitComet\\BitComet.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "16650:TCP"= 16650:TCP:BitComet 16650 TCP "16650:UDP"= 16650:UDP:BitComet 16650 UDP R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2005-08-11 109184] R1 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2005-08-11 120704] R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2005-08-11 39168] S3 hitmanpro3;Hitman Pro 3 Support Driver;C:\WINDOWS\system32\drivers\hitmanpro3.sys [ ] S3 HitmanProCrusader;HitmanProCrusader;C:\Documents and Settings\Fam. Schippers\Local Settings\Temp\hitmanpro3\hitmanpro3_rub.exe [ ] S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2005-08-11 91392] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . - - - - ORPHANS VERWIJDERD - - - - WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file) HKCU-Run-Player - C:\Documents and Settings\Fam. Schippers\Application Data\Adobe\Player.exe ShellExecuteHooks-{B2ADB537-AFF6-4D72-BA77-DA012A6FDEA6} - (no file) ShellExecuteHooks-{BCE97A72-640B-4DED-923F-8196FC01F76B} - (no file) . ------- Bijkomende Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ R0 -: HKLM-Main,Start Page = hxxp://www.google.com O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 -: E&xporteren naar Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-17 18:44:05 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . Voltooingstijd: 2008-10-17 18:44:59 ComboFix-quarantined-files.txt 2008-10-17 16:44:47 Pre-Run: 156.113.735.680 bytes beschikbaar Post-Run: 156,113,113,088 bytes beschikbaar 179 hjt logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:52:37, on 17-10-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\NDAS\System\ndassvc.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: HitmanProCrusader - Unknown owner - C:\Documents and Settings\Fam. Schippers\Local Settings\Temp\hitmanpro3\hitmanpro3_rub.exe (file missing) O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 2830 bytes bedankt, jeroen
  • Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd: [b:6ea73bdaa8]O24 - Desktop Component 0: Privacy Protection - (no file)[/b:6ea73bdaa8] Klik op 'Fix checked' om de items te verwijderen. Open een kladblokbestand. Kopieer en plak daarin de onderstaande vetgedrukte tekst. [b:6ea73bdaa8]File:: C:\Documents and Settings\Fam. Schippers\Application Data\neqyty.scr C:\WINDOWS\system32\olal.dat C:\WINDOWS\ajulebepi.sys C:\Program Files\Common Files\moqyk.bin C:\WINDOWS\giwije.ban C:\Documents and Settings\Fam. Schippers\Application Data\ylyp.exe C:\WINDOWS\bosofogivi.com C:\WINDOWS\vigozo.bin C:\WINDOWS\aduqebe.sys C:\WINDOWS\DUMP4391.tmp C:\WINDOWS\DUMP4277.tmp C:\WINDOWS\DUMP4390.tmp C:\WINDOWS\DUMP42c5.tmp C:\WINDOWS\DUMP4287.tmp C:\WINDOWS\DUMP4268.tmp C:\WINDOWS\DUMP40d1.tmp C:\WINDOWS\DUMP377b.tmp C:\WINDOWS\DUMP34bc.tmp C:\WINDOWS\DUMP37c9.tmp C:\WINDOWS\DUMP37f8.tmp C:\WINDOWS\system32\bdod.bin Folder:: C:\Documents and Settings\All Users\Application Data\kpqvgzer C:\Documents and Settings\All Users\Application Data\avgrkhgr C:\Documents and Settings\Fam. Schippers\Application Data\0000005738 C:\Documents and Settings\All Users\Application Data\xgbsfkbk C:\WINDOWS\tmp C:\Documents and Settings\All Users\Application Data\torqlyvo C:\Documents and Settings\Fam. Schippers\Application Data\5[/b:6ea73bdaa8] Sla dit bestand op je bureaublad op als CFScript.txt. Sleep CFScript.txt in ComboFix.exe Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt. Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis. En laat dan meteen eens weten hoe de zaken nu staan ?

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.