Vraag & Antwoord

Beveiliging & privacy

Hardnekkige Trojan

Anoniem
pimvandenderen
3 antwoorden
 • Gegroet, een tijdje terug (lees:3 dagen) heb ik een dubieus programma geopend waarbij ik niet zo over heb nagedacht over de gevolgen, sindsdien is het erg slecht gesteld met mijn computer.

  Er komen meldingen vanuit mijn taakbalk dat mijn PC geinfecteerd is, er zijn casino/dating/etc icoontjes op mijn Bureaublad, en ik krijg telkens foutmeldingen van iexplore.exe(terwijl ik IE echt nooit gebruik). Bovendien kan ik op bijna geen enkele site meer komen zonder constant op F5 te drukken, en al mijn bookmarks zijn ook verdwenen (In Firefox dus)

  Ik heb zelf al erg veel geprobeerd; msconfig, ad-aware, virusscan, Trojanhunter, de bestanden die in Taskmanager stonden zelf verwijderen, allemaal zonder effect, de bestanden blijven terugkomen. Ik werk met Windows XP SP1.

  Hierbij een HJTL:

  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 21:18:30, on 3-12-2007
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000)
  Boot mode: Normal

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
  C:\WINDOWS\Explorer.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\TrojanHunter 5.0\THGuard.exe
  C:\WINDOWS\System32\ctfmon.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\Program Files\DAEMON Tools\daemon.exe
  C:\Program Files\Xfire\xfire.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\MSN Messenger\usnsvc.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\WINDOWS\system32\rundll32.exe
  C:\WINDOWS\TEMP\win95.exe
  C:\WINDOWS\mgrs.exe
  C:\Program Files\Audacity\audacity.exe
  C:\Program Files\uTorrent\uTorrent.exe
  C:\Program Files\Ableton\Live 6.0.9\Program\Live 6.0.9.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\WinRAR\WinRAR.exe
  C:\DOCUME~1\Alex\LOCALS~1\Temp\Rar$EX00.687\HiJackThis.exe

  F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
  F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
  O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O2 - BHO: (no name) - {CE92CB06-A5D2-46B7-88FC-BB15CF231C21} - C:\WINDOWS\System32\cfgmgr3.dll
  O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v4.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
  O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
  O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
  O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
  O4 - HKLM\..\Run: [dipsritc] rundll32.exe "C:\Program Files\dipsritc\rwdklshg.dll",Init
  O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvzam.dll,startup
  O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win95.exe
  O4 - HKLM\..\Run: [smgr] mgrs.exe
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
  O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
  O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
  O4 - HKCU\..\Run: [Bhmm] "C:\WINDOWS\System32\RACLE~1\ntvdm.exe" -vt yazb
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
  O4 - Startup: findfast.exe
  O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
  O4 - Global Startup: autorun.exe
  O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O17 - HKLM\System\CCS\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CCS\Services\Tcpip\..\{7E92B53B-AC91-430B-B398-A607B3757393}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O17 - HKLM\System\CS1\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O17 - HKLM\System\CS2\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
  O20 - Winlogon Notify: wingkb32 - C:\WINDOWS\SYSTEM32\wingkb32.dll
  O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)


  End of file - 5669 bytes


  Ik hoop dat iemand mij uit deze benarde situatie kan helpen. ;)

  Groeten,

  Alexander
 • Hoi Alexander,

  Enige reden waarom je systeem geen essentiele servicespacks voor Windows bevat?
  Je hebt geen eens service pack 1. Ga nu nog niet updaten maar doe dit pas als je
  systeem weer helemaal malware vrij is!

  1. Je draait Hijackthis vanuit een temp map, op deze manier geen backups erg makkelijk verloren.
  Pak Hijackthis uit naar een eigen map, bijvoorbeeld C:\Program Files\[b:92936593f9]Hijackthis[/b:92936593f9]

  2. Download SDFix naar je [b:92936593f9]Bureaublad[/b:92936593f9].

  Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:92936593f9]SDFix[/u:92936593f9].
  Start je computer op in veilige modus.
  Open de map SDfix en dubbelklik op [b:92936593f9]runthis.bat[/b:92936593f9] om de tool te starten.
  Computer laten herstarten wanneer dit gevraagd wordt.
  SDfix loopt verder en opent na afloop een rapportje!
  Post dit rapport in je volgende antwoord.

  3. Download [b:92936593f9]Combofix[/b:92936593f9] naar je [b:92936593f9]bureaublad[/b:92936593f9]

  Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

  OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:92936593f9]download Combofix opnieuw[/b:92936593f9]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

  Dubbelklik op [u:92936593f9]combofix.exe[/u:92936593f9]
  Kies voor "Continue" door [b:92936593f9]1[/b:92936593f9] te typen gevolgd door [b:92936593f9]ENTER[/b:92936593f9].
  Tijdens het runnen van de fix, [b:92936593f9]NIET[/b:92936593f9] in het venster klikken, want dit zal je pc doen vasthangen.

  Wanneer de fix voltooid is en na herstart, zal de log [b:92936593f9]combofix.txt[/b:92936593f9] openen.
  [i:92936593f9]Plaats in je volgende antwoord het logje van combofix (combofix.txt[/i:92936593f9]) tesamen met een vers Hijackthis log.

  Post nu het logje van SDfix, Combofix en een vers Hijackthis logje in je volgende bericht.

  Succes!
  Pim :)
 • Ok, hier een paar logs. Noot; als ik nu in normale modus opstart blokkeert de hele PC :?

  catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2007-12-03 22:40:18
  Windows 5.1.2600 NTFS

  detected NTDLL code modification:
  ZwQuerySystemInformation

  scanning hidden processes …

  scanning hidden services & system hive …

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
  "s1"=dword:2df9c43f
  "s2"=dword:110480d0
  "h0"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
  "p0"="C:\Program Files\DAEMON Tools\"
  "h0"=dword:00000000
  "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
  "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
  "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
  "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
  "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
  "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
  "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
  "p0"="C:\Program Files\DAEMON Tools\"
  "h0"=dword:00000000
  "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
  "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
  "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
  "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
  "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
  "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
  "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..

  scanning hidden registry entries …

  scanning hidden files …

  scan completed successfully
  hidden processes: 0
  hidden services: 0
  hidden files: 0  Logfile of Trend Micro HijackThis v2.0.2
  Scan saved at 22:58:15, on 3-12-2007
  Platform: Windows XP (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 (6.00.2600.0000)
  Boot mode: Safe mode with network support

  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\Documents and Settings\Alex\Bureaublad\HiJackThis.exe

  O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O2 - BHO: (no name) - {CE92CB06-A5D2-46B7-88FC-BB15CF231C21} - C:\WINDOWS\System32\cfgmgr3.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
  O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
  O4 - HKCU\..\Run: [Bhmm] "C:\WINDOWS\System32\RACLE~1\ntvdm.exe" -vt yazb
  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
  O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
  O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  O17 - HKLM\System\CCS\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CCS\Services\Tcpip\..\{7E92B53B-AC91-430B-B398-A607B3757393}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O17 - HKLM\System\CS1\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O17 - HKLM\System\CS2\Services\Tcpip\..\{76948F98-0319-43DC-85F3-8C4BB796B211}: NameServer = 85.255.113.146,85.255.112.173
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.173
  O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
  O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
  O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
  O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)


  End of file - 4327 bytes


  SDFix: Version 1.116

  Run by Alex on ma 03-12-2007 at 21:56

  Microsoft Windows XP [versie 5.1.2600]

  Running From: C:\SDFX\SDFix

  Safe Mode:
  Checking Services:


  Restoring Windows Registry Values
  Restoring Windows Default Hosts File

  Rebooting…


  Normal Mode:
  Checking Files:

  Trojan Files Found:

  C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
  C:\Program Files\E404 Helper\e404.v4.dll - Deleted
  C:\Program Files\Common Files\Yazzle1162OinAdmin.exe - Deleted
  C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe - Deleted
  C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\autorun.exe - Deleted
  C:\Documents and Settings\Alex\Menu Start\Programma's\Opstarten\findfast.exe - Deleted
  C:\Program Files\spoolsv.exe - Deleted
  C:\Documents and Settings\Alex\~tmp1174.exe - Deleted
  C:\WINDOWS\avp.exe - Deleted
  C:\WINDOWS\Casino.ico - Deleted
  C:\WINDOWS\Free Online Dating.ico - Deleted
  C:\WINDOWS\mgrs.exe - Deleted
  C:\WINDOWS\Spyware Remover.ico - Deleted
  C:\WINDOWS\system32\Kernel32.exe - Deleted
  C:\WINDOWS\system32\printer.exe - Deleted
  C:\WINDOWS\system32\spoolvs.exe - Deleted
  C:\WINDOWS\xpupdate.exe - Deleted
  C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
  C:\WINDOWS\system32\wsnpoem\video.dll - Deleted  Folder C:\Program Files\E404 Helper - Removed
  Folder C:\WINDOWS\system32\wsnpoem - Removed

  Removing Temp Files…

  ADS Check:

  C:\WINDOWS
  No streams found.

  C:\WINDOWS\system32
  No streams found.

  C:\WINDOWS\system32\svchost.exe
  No streams found.

  C:\WINDOWS\system32\ntoskrnl.exe
  No streams found.  Final Check:

  catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2007-12-03 22:40:18
  Windows 5.1.2600 NTFS

  detected NTDLL code modification:
  ZwQuerySystemInformation

  scanning hidden processes …

  scanning hidden services & system hive …

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
  "s1"=dword:2df9c43f
  "s2"=dword:110480d0
  "h0"=dword:00000001

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
  "p0"="C:\Program Files\DAEMON Tools\"
  "h0"=dword:00000000
  "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
  "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
  "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
  "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
  "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
  "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
  "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
  "p0"="C:\Program Files\DAEMON Tools\"
  "h0"=dword:00000000
  "khjeh"=hex:f4,35,40,68,b6,f7,b7,d1,34,54,55,b3,66,88,cf,de,0c,d2,d4,2c,75,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
  "a0"=hex:20,01,00,00,6b,b8,7e,a8,c0,4f,fb,4f,27,ed,9c,bc,6d,db,79,d2,bd,..
  "khjeh"=hex:8f,90,39,15,e9,12,12,fc,73,fc,34,0f,2d,d5,bd,31,54,59,fc,7f,2b,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
  "khjeh"=hex:ca,23,9a,24,ad,7a,de,27,31,66,fa,5f,64,60,0d,13,f4,e9,85,ea,87,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
  "khjeh"=hex:59,9e,25,40,49,4b,37,2d,5a,4e,3a,52,1e,fd,ad,e4,77,da,e2,f3,86,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
  "khjeh"=hex:f8,c4,76,3d,77,9b,c7,f3,6c,43,f8,3d,3f,28,0e,7f,95,3f,1a,d2,77,..

  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
  "khjeh"=hex:28,5e,e1,ed,4e,fb,f8,86,a7,d4,2a,54,7a,0b,ae,ec,a4,4c,5d,99,b0,..

  scanning hidden registry entries …

  scanning hidden files …

  scan completed successfully
  hidden processes: 0
  hidden services: 0
  hidden files: 0


  Remaining Services:
  ——————  Authorized Application Key Export:

  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
  "C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe"="C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
  "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\TEMP\\win56.exe"="C:\\WINDOWS\\TEMP\\win56.exe:*:Enabled:win56"

  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
  "C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe"="C:\\Documents and Settings\\Alex\\Menu Start\\Programma's\\Opstarten\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
  "C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu Start\\Programma's\\Opstarten\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
  "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

  Remaining Files:
  —————

  File Backups: - C:\SDFX\SDFix\backups\backups.zip

  Files with Hidden Attributes:

  Sat 20 Oct 2007 5,903,928 A..H. — "C:\Program Files\Picasa2\setup.exe"
  Tue 23 Nov 2004 303,104 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44.dll"
  Tue 23 Nov 2004 325,344 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44.sys"
  Tue 23 Nov 2004 139,264 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Maya44USBPanel.exe"
  Tue 23 Nov 2004 23,360 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\pgusbmm3.sys"
  Wed 24 Nov 2004 299,008 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\Setup98ME.exe"
  Wed 24 Nov 2004 315,392 A..H. — "C:\Documents and Settings\Alex\Bureaublad\Maya\SetupXP2k.exe"
  Thu 22 Nov 2007 8,194,048 …H. — "C:\Documents and Settings\Alex\Bureaublad\School\MCV\~WRL0005.tmp"
  Sun 2 Dec 2007 12,254,720 …H. — "C:\Documents and Settings\Alex\Bureaublad\School\MCV\~WRL2853.tmp"

  Finished!


  Hoop dat je hier wat mee kan :D

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.