Vraag & Antwoord

Beveiliging & privacy

Hijack this log.

Anoniem
pimvandenderen
7 antwoorden
 • Hallo,

  Mijn een vriendin van mij heeft een msn virus binnengekregen.
  Die steeds de tekst rond stuur 'omg jij naakt met een link'

  Heb haar daarom eventjes een logje laten maken.
  Zouden jullie die willen bekijken?? En kijken of iets verkeerds tussen staat?

  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 20:04:32, on 5-11-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16544)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  C:\Program Files\Eset\nod32krn.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\SOUNDMAN.EXE
  C:\WINDOWS\system32\winsys2.exe
  C:\WINDOWS\system32\RUNDLL32.EXE
  C:\Program Files\Eset\nod32kui.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\D-Tools\daemon.exe
  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
  C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
  C:\WINDOWS\system32\rundll32.exe
  C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
  C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
  C:\DOCUME~1\Felicity\LOCALS~1\Temp\msnmsgs.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\Program Files\Picasa2\PicasaMediaDetector.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\WinZip\WZQKPICK.EXE
  C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\MSN Messenger\usnsvc.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
  O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
  O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
  O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
  O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
  O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
  O4 - HKLM\..\Run: [Graphic Update] C:\DOCUME~1\Felicity\LOCALS~1\Temp\msnmsgs.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
  O4 - HKUS\S-1-5-19\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Lokale service')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
  O4 - HKUS\S-1-5-20\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Netwerkservice')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - HKUS\.DEFAULT\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Default user')
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
  O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/system/upload/ImageUploader4.cab
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
  O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


  End of file - 7470 bytes

  Alvast ontzettend bedankt.  Mvg Guido.
 • Download hier () en sla het op je bureaublad.
  Dubbelklik [b:ff2ac4a3b9]MSNFix.exe[/b:ff2ac4a3b9], er zal nu een icoontje op je bureaublad verschijnen.

  Dubbelklik het icoontje "[b:ff2ac4a3b9]Start MSNFix[/b:ff2ac4a3b9]"en laat het zijn gang gaan.
  (Indien je meldingen krijgt van je scanner e.d. sta dit toe).

  Het bestand gaat zijn taken uitvoeren, je hoeft ondertussen niets te doen. Zodra het klaar is en eventueel na herstart zal het een rapport openen (C:\MSNFix.txt). Post deze in je volgende reactie.

  Post ook een vers Hijackthis logje.

  Pim :)
 • Hallo,


  Dit is het logje van MSNFIX:


  ———- BENDEBOYS MSNFIX RAPORT ———-
  - Version: 3.6.0.4 - Last Update: 04/11/07
  - Scan performed on: di 06-11-2007 - 21:01:52,84 By Felicity
  - Bootmode: Normal Mode

  ((((((((((((((( CREATED FILES LAST MONTH )))))))))))))))

  2007-11-06 -19:33:42 - A.S.. "C:\WINDOWS\bootstat.dat"
  2007-09-27 -22:19:40 - A…. "C:\WINDOWS\system32\MRT.exe"
  2007-10-28 -15:20:42 - A…. "C:\WINDOWS\system32\perfc009.dat"
  2007-10-28 -15:20:42 - A…. "C:\WINDOWS\system32\perfc013.dat"
  2007-10-28 -15:20:42 - A…. "C:\WINDOWS\system32\perfh009.dat"
  2007-10-28 -15:20:42 - A…. "C:\WINDOWS\system32\perfh013.dat"
  2007-11-06 -18:13:46 - A..H. "C:\Documents and Settings\Felicity\NTUSER.DAT"

  ((((((((((((((( FOUND FILES )))))))))))))))

  !! BEFORE FIX !!

  C:\DOCUME~1\Felicity\LOCALS~1\Temp\msnmsgs.exe

  !! AFTER FIX !!


  ((((((((((((((( ShellServiceObjectDelayLoad )))))))))))))))

  "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
  "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
  "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
  "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

  ———- END OF LOG ———-


  En dit is het verse logje van Hijack this:  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 21:05:00, on 6-11-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16544)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\SOUNDMAN.EXE
  C:\WINDOWS\system32\winsys2.exe
  C:\WINDOWS\system32\RUNDLL32.EXE
  C:\WINDOWS\system32\rundll32.exe
  C:\Program Files\Eset\nod32kui.exe
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\D-Tools\daemon.exe
  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
  C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
  C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
  C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\Program Files\Picasa2\PicasaMediaDetector.exe
  C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\WinZip\WZQKPICK.EXE
  C:\Program Files\Eset\nod32krn.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\WINDOWS\system32\wuauclt.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
  O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
  O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
  O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
  O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
  O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
  O4 - HKUS\S-1-5-19\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Lokale service')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
  O4 - HKUS\S-1-5-20\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Netwerkservice')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - HKUS\.DEFAULT\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Default user')
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
  O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/system/upload/ImageUploader4.cab
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
  O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


  End of file - 7335 bytes
  Is het nu goed of moet er nog meer gebeurden?


  Hartelijk dank alvast!  Groeten Guido.
 • Start Hijackthis, kies voor [i:528db82ef3]'Do a system scan only'[/i:528db82ef3] en vink onderstaande regels aan:
  [b:528db82ef3]
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
  [/b:528db82ef3]

  Sluit nu [u:528db82ef3]alle[/u:528db82ef3] openstaande vensters, behalve Hijackthis en klik op [b:528db82ef3]Fix Checked[/b:528db82ef3].

  Download Combofix naar je [b:528db82ef3]bureaublad[/b:528db82ef3]

  Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
  [b:528db82ef3]
  C:\WINDOWS\system32\winsys2.exe
  [/b:528db82ef3]
  Sla dit op op je Bureaublad als [b:528db82ef3]CFScript.txt[/b:528db82ef3]

  Sleep [b:528db82ef3]CFScript.txt[/b:528db82ef3] in [b:528db82ef3]ComboFix.exe[/b:528db82ef3] zoals getoond in onderstaand voorbeeld :

  [img:528db82ef3]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:528db82ef3]

  Dit zal [b:528db82ef3]ComboFix[/b:528db82ef3] doen herstarten.
  Start opnieuw op als daarom gevraagd wordt,
  en post de inhoud van de [b:528db82ef3]Combofix.txt[/b:528db82ef3] in je volgende antwoord samen met een nieuw HijackThislogje.

  Pim
 • hee,


  dit is het logje van combofix.

  ComboFix 07-11-08.1 - Felicity 2007-11-07 21:09:37.1 - NTFSx86
  Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.659 [GMT 1:00]
  Gestart vanuit: C:\Documents and Settings\Felicity\Bureaublad\ComboFix.exe
  Command switches used :: C:\Documents and Settings\Felicity\Bureaublad\CFScript.txt
  * Nieuw herstelpunt werd aangemaakt
  .

  (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
  .

  C:\WINDOWS\system32\winsys.exe

  .
  (((((((((((((((((((( Bestanden Gemaakt van 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))
  .

  2007-11-07 21:08 51,200 –a—— C:\WINDOWS\NirCmd.exe
  2007-11-05 19:57 <DIR> d——– C:\Program Files\Trend Micro
  2007-11-05 16:37 <DIR> d——– C:\Program Files\MSN Messenger
  2007-11-01 17:12 <DIR> d——– C:\Documents and Settings\All Users\Application Data\nView_Profiles
  2007-10-28 02:57 49,152 –a—— C:\WINDOWS\system32\nircmd.exe
  2007-10-28 02:57 16,384 –a—— C:\WINDOWS\system32\restart.exe
  2007-10-28 02:57 11,254 –a—— C:\WINDOWS\system32\locate.com
  2007-10-28 01:15 57,670 –a—— C:\WINDOWS\system32\Fix.bat
  2007-10-14 17:19 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Hema Album Software Advanced

  .
  ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  2007-11-02 20:05 ——— d—–w C:\Documents and Settings\Felicity\Application Data\LimeWire
  2007-10-14 16:19 ——— d—–w C:\Program Files\Hema Album Software Advanced
  2007-10-03 14:14 ——— d—–w C:\Program Files\NijghVersluys
  2007-09-29 16:50 ——— d—–w C:\Documents and Settings\Felicity\Application Data\Ahead
  2007-09-19 14:11 ——— d—–w C:\Documents and Settings\All Users\Application Data\NVIDIA
  2007-09-08 12:11 ——— d—–w C:\Program Files\Java
  2007-09-08 12:10 ——— d—–w C:\Program Files\Common Files\Java
  2007-09-08 12:08 ——— d—–w C:\Program Files\LimeWire Plus
  2007-08-21 06:26 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
  2007-07-30 20:15:47 16,384 –sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
  2007-07-30 20:15:47 32,768 –sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
  2007-07-30 20:15:45 32,768 –sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012007073020070731\index.dat
  2007-07-30 20:15:47 32,768 –sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  .

  ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SoundMan"="SOUNDMAN.EXE" [2006-01-11 08:08 C:\WINDOWS\soundman.exe]
  "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43]
  "nwiz"="nwiz.exe" [2006-08-11 14:43 C:\WINDOWS\system32\nwiz.exe]
  "SW20"="C:\WINDOWS\system32\sw20.exe" [2006-09-07 11:13]
  "SW24"="C:\WINDOWS\system32\sw24.exe" [2006-09-07 11:14]
  "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43]
  "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
  "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-31 18:09]
  "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
  "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-12-27 19:43]
  "LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 00:03]
  "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-11-15 20:58]
  "LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-15 21:01]
  "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
  "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:03]
  "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
  "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 21:48]

  [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
  "IE7"=cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart

  C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
  Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
  HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
  WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-07-31 17:49:21]

  R0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys
  R0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys
  S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

  *Newly Created Service* - CATCHME
  .
  Inhoud van de 'Gedeelde Taken' map
  "2007-10-16 21:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
  .
  **************************************************************************

  catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2007-11-08 21:10:39
  Windows 5.1.2600 Service Pack 2 NTFS

  scannen van verborgen processen …

  scannen van verborgen autostart items …

  scannen van verborgen bestanden …

  Scan succesvol afgerond
  verborgen bestanden: 0

  **************************************************************************
  .
  Voltooingstijd: 2007-11-08 21:10:54
  .
  — E O F —
  en dit is het logje van hijack this.
  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 21:13:40, on 8-11-2007
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16544)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  C:\Program Files\Eset\nod32krn.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\SOUNDMAN.EXE
  C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  C:\Program Files\D-Tools\daemon.exe
  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
  C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
  C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
  C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\Program Files\Picasa2\PicasaMediaDetector.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\WinZip\WZQKPICK.EXE
  C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
  C:\Program Files\MSN Messenger\usnsvc.exe
  C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
  C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
  C:\WINDOWS\explorer.exe
  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
  O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
  O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
  O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
  O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
  O4 - HKUS\S-1-5-19\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Lokale service')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
  O4 - HKUS\S-1-5-20\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Netwerkservice')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - HKUS\.DEFAULT\..\RunOnce: [IE7] cmd.exe /C rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'Default user')
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
  O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/system/upload/ImageUploader4.cab
  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
  O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
  O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


  End of file - 7034 bytes

  Wat moet ik nog meer doen??
  Groeten Guido.
 • Verwijder het volgende bestand:
  C:\WINDOWS\system32\[b:7aa93973ba]Fix.bat [/b:7aa93973ba]

  Verwijder Combofix:
  Ga naar start –> uitvoeren en typ daar:
  [b:7aa93973ba]Combofix /U [/b:7aa93973ba]
  Klik op ok om te bevestigen.

  Download ATF Cleaner ( van Atribune)

  Dubbelklik op [b:7aa93973ba]ATF cleaner[/b:7aa93973ba] om het programma te starten.
  Op het tabblad "Main", plaats je een vinkje bij Select All. Haal het vinkje weg bij Prefetch.
  Klik op de knop Empty Selected.

  Gebruik je ook [b:7aa93973ba]Firefox[/b:7aa93973ba] als browser:

  Klik op tabblad "Firefox", plaats een vinkje bij Select All.
  Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
  (dit verwijdert het vinkje bij "Firefox saved passwords";)
  Klik op de knop Empty Selected.

  Gebruik je ook [b:7aa93973ba]Opera[/b:7aa93973ba] als browser:

  Klik op tabblad "Opera", plaats een vinkje bij Select All.
  Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
  Klik op de knop Empty Selected.

  Ga naar het tabblad "Main" en klik op de knop [b:7aa93973ba]Exit[/b:7aa93973ba] om het programma af te sluiten.

  Schakel systeemherstel uit, herstart je computer en schakel systeemherstel weer in: http://users.telenet.be/marcvn/spyware/1852808.htm
  Hiermee verwijder je eventuele resten van de infectie uit je systeemherstel.

  Lees ook deze beveiligingstips eens door:
  http://users.telenet.be/marcvn/spyware/1564073.htm

  Pim :)
 • Hee Pim,


  Heel erg bedankt voor het helpen. :)

  Hopelijk is het nu over!  Mvg Guido.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.