Vraag & Antwoord

Beveiliging & privacy

Hardnekkig virus... kan nix installeren

Anoniem
tdw
6 antwoorden
 • Logfile of HijackThis v1.99.1
  Scan saved at 20:23:26, on 28-5-2005
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\System32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\Program Files\Microsoft IntelliType Pro\type32.exe
  C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  D:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\Logitech\MouseWare\system\em_exec.exe
  C:\Program Files\Messenger\msmsgs.exe
  D:\Program Files\Wamp\wampserver.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
  C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  D:\Program Files\Wamp\apache\Apache.exe
  D:\Program Files\Wamp\mysql\bin\mysqld-nt.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
  D:\Program Files\Wamp\apache\Apache.exe
  C:\Program Files\Security Task Manager\TaskMan.exe
  C:\Documents and Settings\Thijs\Mijn documenten\hijackthis\HijackThis.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchba.htm
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchba.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchsa.htm
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchcs.htm
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.nl/
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
  O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
  O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
  O4 - HKLM\..\Run: [Compaq32 Service Drivers] ms32.exe
  O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] ms32.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [Compaq32 Service Drivers] ms32.exe
  O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] ms32.exe
  O4 - Startup: ATITool.lnk = ?
  O4 - Startup: WampServer.lnk = D:\Program Files\Wamp\wampserver.exe
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117291664514
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7071A2-F6C4-4426-A34B-25F332F3762A}: NameServer = 194.134.5.5 194.134.0.97
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
  O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
  O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
  O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
  O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
  O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  O23 - Service: wampapache - Unknown owner - D:\Program Files\Wamp\apache\Apache.exe" –ntservice (file missing)
  O23 - Service: wampmysqld - Unknown owner - D:\Program Files\Wamp\mysql\bin\mysqld-nt.exe" –defaults-file=C:\WINDOWS\mywamp.ini wampmysqld (file missing)  vol met spyware he?? :p
 • Download en installeer CCleaner
  Nog niet gebruiken.

  Download CWShredder en klik op "Fix" (sluit wel eerst alle vensters)

  Start je PC op in VEILIGE mode.
  Kijk hier hoe dat moet.

  Start Hijackthis op en kies voor 'Do a system scan only'
  Selecteer alleen de items die hieronder zijn genoemd:
  [b:c337ea1aac]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchba.htm
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchba.htm
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchmn.htm
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchsa.htm
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.defaultsearch.com/search/B90D4C2B8B3F4AB2BDDB776C16EAB8D8/1043/ie/searchcs.htm
  O4 - HKLM\..\Run: [Compaq32 Service Drivers] ms32.exe
  O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] ms32.exe
  O4 - HKCU\..\Run: [Compaq32 Service Drivers] ms32.exe
  O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] ms32.exe
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  [/b:c337ea1aac]Klik op 'Fix checked' om de items te verwijderen

  Zorg dat de besturingssysteembestanden en verborgen bestanden zichtbaar zijn
  De volgende directories/bestanden verwijderen:[b:c337ea1aac]
  C:\Windows\ms32.exe
  C:\Windows\msdirectx.sys
  [/b:c337ea1aac]
  Start CCleaner
  Ccleaner biedt je de mogelijkheid om in te stellen wat er opgeschoond moet worden.
  Kies in ieder geval voor de volgende items:
  Internet Explorer:
  - Tijdelijke Internet bestanden
  Systeem:
  - Prullenbak leegmaken
  - Tijdelijke bestanden

  klik nu in Ccleaner op opschonen (rechts onderaan).

  Herstart je PC en voer een online virus scan uit bijv. Housecall

  Maak een nieuw log met hijackthis en post deze.
  Vermeld ook het resultaat van de virus scan.

  Sjaak
 • Logfile of HijackThis v1.99.1
  Scan saved at 22:07:56, on 28-5-2005
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000)

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\System32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  C:\Program Files\Microsoft IntelliType Pro\type32.exe
  C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  D:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
  C:\WINDOWS\System32\msmsngr.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Logitech\MouseWare\system\em_exec.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
  C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
  D:\Program Files\YB-Bot\mirc.exe
  D:\Program Files\X-Chat 2\xchat.exe
  C:\Documents and Settings\Thijs\Mijn documenten\hijackthis\HijackThis.exe

  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.nl/
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
  O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
  O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
  O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
  O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
  O4 - HKLM\..\Run: [msmsngr] C:\WINDOWS\System32\msmsngr.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Startup: ATITool.lnk = ?
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117291664514
  O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7071A2-F6C4-4426-A34B-25F332F3762A}: NameServer = 194.134.5.5 194.134.0.97
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
  O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
  O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
  O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
  O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
  O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
  O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  O23 - Service: wampmysqld - Unknown owner - D:\Program Files\Wamp\mysql\bin\mysqld-nt.exe" –defaults-file=C:\WINDOWS\mywamp.ini wampmysqld (file missing)  housecall heeft geen virussen gevonden
 • Scan het volgende bestand eens bij Jotti

  C:\WINDOWS\System32\msmsngr.exe

  Sjaak
 • maakt niet meer uit, alles is weg.. format gedaan :)
 • [quote:43b4215e64]
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000) [/quote:43b4215e64]
  Installeer dan gelijk SP2. Dat was jou grote fout.
  Het virus wat jij op je PC had (ms32.exe) maakte gebruik van gaten in de beveiliging die later zijn gedicht.
  Hijackthis laat maar een beperkt deel van instellingen uit het register zien. Dus welke instellingen er allemaal tussentijds in het register zijn gewijzigd waardoor jij niets meer kon instelling is onduidelijk.
  Het zou bijv. onder een de group policies kunnen staan waardoor de gebruiker van de pc geen programma's meer mag installeren.

  Sjaak

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.