Vraag & Antwoord

Beveiliging & privacy

Trojan verwijderen?

Anoniem
Jos H
7 antwoorden
 • Overgestapt naar NOD32; vond gelijk een trojan die NAV niet gefixt/gezien heeft!!!!!!!!!!!
  Laatste update geinstalleerd en na scannen volgt dit .log bestand.

  Scanning Log
  NOD32 version 1.912 (20041029) NT
  Checking CRC of the NOD32.EXE file: status OK
  Operating memory is OK.
  Error occured while scanning MBR sector of the 2. physical disk. Error reading sector.
  date: 29.10.2004 time: 16:16:49
  Scanned disks, directories and files: C:; D:
  C:\pagefile.sys - error opening (access denied) [4]
  C:\hiberfil.sys - error opening (access denied) [4]
  [b:e8b63cd702]C:\WINDOWS\system32\msdlupd.dll - Win32/TrojanDownloader.Dyfica.CU trojan[/b:e8b63cd702]
  C:\WINDOWS\system32\config\system.LOG - error opening (file locked) [4]
  C:\WINDOWS\system32\config\software.LOG - error opening (file locked) [4]
  C:\WINDOWS\system32\config\default.LOG - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SAM.LOG - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SECURITY.LOG - error opening (file locked) [4]
  C:\WINDOWS\system32\config\DEFAULT - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SECURITY - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SOFTWARE - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SYSTEM - error opening (file locked) [4]
  C:\WINDOWS\system32\config\SAM - error opening (file locked) [4]
  C:\WINDOWS\Temp\ZLT05d98.TMP - error opening (file locked) [4]
  C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (file locked) [4]
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
  C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (file locked) [4]
  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
  C:\Documents and Settings\Jos \ntuser.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\Jos \ntuser.dat - error opening (file locked) [4]
  C:\Documents and Settings\Jos \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (file locked) [4]
  C:\Documents and Settings\Jos \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (file locked) [4]
  number of scanned files: 149907
  number of viruses found: 1
  time of completion: 16:29:02 total scanning time: 733 sec (00:12:13)
  Notes:
  [4] File cannot be open. It is being exclusively used by another application or operating system.

  Kan ik msdlupd.dll verwijderen zonder problemen te krijgen :-?
 • Ja.
 • http://www.giantcompany.com/antispyware/research/spyware/spyware-MoneyTree.aspx

  [quote:0c5e457e40]MonyeTree may also install a Browser helper Object (BHO).

  MonyeTree may also use direct EXE file downloads to distribute the same dialers; this process does not leave an ActiveX control loaded.

  MoneyTree variants:

  MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

  MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

  MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

  MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

  MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite. The DyFuCA variant typically installs the InternetOptimizer threat which is an error page hijacker for Internet Explorer.
  [/quote:0c5e457e40]
 • [quote:b3e5eee8aa="turbulence"]http://www.giantcompany.com/antispyware/research/spyware/spyware-MoneyTree.aspx

  [quote:b3e5eee8aa]MonyeTree may also install a Browser helper Object (BHO).

  MonyeTree may also use direct EXE file downloads to distribute the same dialers; this process does not leave an ActiveX control loaded.

  MoneyTree variants:

  MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

  MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

  MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

  MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

  MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite. The DyFuCA variant typically installs the InternetOptimizer threat which is an error page hijacker for Internet Explorer.
  [/quote:b3e5eee8aa][/quote:b3e5eee8aa]

  Zou je misschien iets meer uitleg kunnen geven bij de hyperlinks :-?
 • das gewoon een site die jou verteld wat voor trojan het is ..

  eentje die spyware op je pc zet dus … overigens is internet optimiser terug te vinden in je software gedeelte .. dus lijkt het me logisch als money tree er ook zal staan …

  spybot vind hem ook, ik weet eigenlijk alleen niet of die de bestanden ook verwijdert … maar het verwijderen van die bestanden staat prima uitgelegd op die giantdinges site :)

  zal dus ook wel een zooi bagger in je program files staan ..

  Zet anders eens een hijack this logje neer en laat ze die ff sjeckuhh …
 • Ad-aware & Spybot systeem laten scannen.
  Vervolgens Spywareblaster geinstalleerd!
  Hierna Spy Sweeper geinstalleerd en laten scannen.
  Deze vond nog 16 stuks spyware en "180 tracks".
  Voor de zekerheid maar een HijackThis.log:

  Logfile of HijackThis v1.98.2
  Scan saved at 15:55:25, on 31-10-2004
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Logitech\iTouch\iTouch.exe
  C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Eset\nod32kui.exe
  C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
  C:\Program Files\AutoSizer\AutoSizer.exe
  C:\WINDOWS\System32\GEARSec.exe
  C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
  C:\Program Files\Eset\nod32krn.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\dllhost.exe
  C:\WINDOWS\System32\ups.exe
  C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
  C:\WINDOWS\system32\ZONELABS\vsmon.exe
  C:\WINDOWS\System32\vssvc.exe
  C:\WINDOWS\System32\wbem\wmiapsrv.exe
  C:\WINDOWS\System32\dllhost.exe
  C:\WINDOWS\System32\alg.exe
  C:\WINDOWS\System32\msdtc.exe
  C:\WINDOWS\system32\devldr32.exe
  C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  D:\HijackThis\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hccnet.nl
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hccnet.nl
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hccnet.nl/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O3 - Toolbar: &HCC Hulp - {0BFDDA12-9C1A-46B8-9681-AFF63C2A1EF0} - C:\PROGRA~1\hcchulp\HCCHulp.dll
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
  O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
  O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
  O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
  O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
  O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
  O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe" /h
  O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
  O9 - Extra 'Tools' menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
  O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
  O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
  O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
  O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
  O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.biblioservice.net/msrdp.cab
  O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
  O17 - HKLM\System\CCS\Services\Tcpip\..\{1F368752-FE48-4A58-8534-1B7F1EE3E58F}: NameServer = 62.251.0.6 62.251.0.7
  O17 - HKLM\System\CS1\Services\Tcpip\..\{1F368752-FE48-4A58-8534-1B7F1EE3E58F}: NameServer = 62.251.0.6 62.251.0.7

  Nog iets fixen :-?
 • Deze:
  [b:6c31ac76f7]O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -[/b:6c31ac76f7]

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.