Vraag & Antwoord

Beveiliging & privacy

mrtstub

Anoniem
Jorni
4 antwoorden
 • Vanmorgen ontdekte ik een nieuwe directory op mijn schijf met daarin de programma's mrtstub en mrtexe. De directorynaam is een lange reeks willekeurige cijfers en letters. Wat googelen levert geen eenduidige informatie over of dit een virus/spyware of legitieme software betreft. Gezien de naam van de directory vermoed ik dat het om minder aangenaam bezoek gaat. Mijn Norton AV heeft echter geen alarm geslagen en ook Zonealarm geeft geen kik en ik kan deze programma's ook niet vinden in de taskmanager.

  Tevens zie ik (al langer) een %SystemDrive%_old_old in windows explorer verschijnen. Deze directory en subdirectories lijken echter leeg te zijn.

  Wel valt me al enige tijd op dat ZoneAlarm voortdurend aangeeft dat er internet verkeer is. Ik heb ook wel wat extra verkeer verwacht omdat ik onlangs BOINC heb geinstalleerd, maar niet voortdurend, toch ?

  Graag advies wat ik hier mee aan moet.
 • Dat klinkt inderdaad verdacht.

  Het beste wat je kan doen is hier een HijackThis logje plaatsen en wachten op een van de experts.
 • Hierbij de logfile die hijackthis heeft geproduceerd - voor de kenners onder ons dus :D

  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 16:55:35, on 25-8-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16512)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Windows Defender\MsMpEng.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\Ati2evxx.exe
  C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
  C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
  C:\WINDOWS\System32\CTsvcCDA.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
  C:\Program Files\SiteAdvisor\6066\SAService.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Documents and Settings\KvG\My Documents\Utilities\USBDL\USBDLM\USBDLM.exe
  C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  C:\WINDOWS\System32\MsPMSPSv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\DSentry.exe
  C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
  C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
  C:\WINDOWS\system32\CTHELPER.EXE
  C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
  C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
  C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
  C:\WINDOWS\MXOALDR.EXE
  C:\Program Files\Acronis\True Image Home\TrueImageMonitor.exe
  C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
  E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\Windows Defender\MSASCui.exe
  C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
  C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
  C:\Program Files\Logitech\MouseWare\system\em_exec.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
  C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
  C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  E:\Program Files\Nikon\PictureProject\NkbMonitor.exe
  C:\Program Files\Microsoft Office\Office\OSA.EXE
  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
  E:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
  C:\Program Files\BOINC\boincmgr.exe
  C:\Program Files\CPal\CPal.exe
  C:\Program Files\BOINC\boinc.exe
  C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_beta_5.77_windows_intelx86.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\HiJackThis\HijackThis.exe

  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.zeelandnet.nl:800
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  O2 - BHO: (no name) - AutorunsDisabled - (no file)
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
  O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
  O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - E:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
  O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
  O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
  O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
  O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
  O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
  O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
  O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
  O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
  O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
  O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
  O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
  O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
  O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
  O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\True Image Home\TrueImageMonitor.exe
  O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
  O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
  O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
  O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
  O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
  O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
  O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "E:\Program Files\Blokker Bestelsoftware\Agent.exe"
  O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
  O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
  O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
  O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
  O4 - HKCU\..\Run: [Copernic Desktop Search] "E:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
  O4 - Startup: AutorunsDisabled
  O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
  O4 - Startup: Cookie Pal.lnk = C:\Program Files\CPal\CPal.exe
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: AutorunsDisabled
  O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
  O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
  O4 - Global Startup: NkbMonitor.exe.lnk = E:\Program Files\Nikon\PictureProject\NkbMonitor.exe
  O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
  O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
  O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
  O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O15 - Trusted Zone: www.centerparcs.com
  O15 - Trusted Zone: www.klm.com
  O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
  O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
  O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
  O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
  O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab
  O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
  O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
  O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
  O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
  O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
  O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
  O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Wachtwoordvalidatie voor Symantec IS (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
  O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
  O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
  O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
  O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
  O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Documents and Settings\KvG\My Documents\Utilities\USBDL\USBDLM\USBDLM.exe
  O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


  End of file - 14192 bytes
 • Schakel Windows Defender tijdelijk uit omdat deze de wijzigingen van hijackthis weer ongedaan wil maken.  Start Hijackthis op en kies voor 'Do a system scan only'
  Selecteer alleen de items die hieronder zijn genoemd:
  [b:289c4cc82a]
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
  O2 - BHO: (no name) - AutorunsDisabled - (no file)
  [/b:289c4cc82a]
  Sluit alle vensters behalve Hijackthis
  Klik op 'Fix checked' om de items te verwijderen.

  Download [b:289c4cc82a]Combofix[/b:289c4cc82a] naar je Bureaublad.[list:289c4cc82a]
  Dubbelklik op [b:289c4cc82a]Combofix.exe[/b:289c4cc82a]
  Volg de instructies, aanvaard de disclaimer door [b:289c4cc82a]1[/b:289c4cc82a] (continue) te typen gevolgd door [b:289c4cc82a]ENTER[/b:289c4cc82a].
  Tijdens het runnen van de fix, [b:289c4cc82a]NIET[/b:289c4cc82a] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:289c4cc82a]
  Wanneer de fix voltooid is en na herstart, zal de log [b:289c4cc82a]combofix.txt[/b:289c4cc82a] openen.
  [i:289c4cc82a]Plaats dit log in je volgende post tesamen met een nieuw HijackThis log.[/i:289c4cc82a]

  Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.