Vraag & Antwoord
Ook last van Vundo virus
3 antwoorden
- Ik heb ook last van het vundo virus heb eerdere topics gelezen hier en ook fundofix gedownload en laten draaien…hij gaf een melding dat nog niet alles verwijderd kon worden (ook na de reboot blijft er een file staan…)
Ik heb ook hijackthis gedraaid en hieronder het resultaat…
P.s. mij virusscanner geeft hem momenteel niet meer weer…
Kunnen jullie mij nog wat advies geven over de volgende stappen…????
Thanks :lol:
Logfile of HijackThis v1.99.1
Scan saved at 22:34:01, on 6-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
C:\Program Files\Webshots\webshots.scr
C:\hijack\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnnnki.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A32344BE-8F6B-47AF-A1DC-D45AA5214717} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Spamihilator.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://83.167.223.15/admin/jre-1_5_0_10-windows-i586-p.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA03BC1-C11E-469F-93BD-B537B68CDD3D}: NameServer = 62.58.50.5,62.58.50.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F199EE0-82F6-4C22-91DA-42DA6B8B6423}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: opnnnki - C:\WINDOWS\SYSTEM32\opnnnki.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PETER Connects Audio Service (PcaAudioService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaAudioService.exe
O23 - Service: PETER Connects Telephone List Loading Utility service (PcaLdb1Service) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaLdb1Service.exe
O23 - Service: PETER Connects Main service (PcaMainService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaMainService.EXE
O23 - Service: PETER Connects Management service (PcaMngtService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaMngtService.exe
O23 - Service: PETER Connects TAPI Interface service (PcaTapiService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaTapiService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe - Je gebruikt een oude versie van HijackThis. Best dat je deze versie gebruikt: http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Sluit alle open vensters.
Start HijackThis nog een keer en plaats een vinkje bij de volgende items:
[b:0aa72d9911]O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnnnki.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: opnnnki - C:\WINDOWS\SYSTEM32\opnnnki.dll[/b:0aa72d9911]
Klik daarna op "Fix checked" en sluit HijackThis af.
Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Plaats het op je bureaublad.
Dubbelklik er op om het programma te starten.
In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
Volg de instructies op het scherm.
Als het tooltje klaar is, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje samen met een nieuwe hijackthislog. - Ok hieronder de nieuwe logfiles…
[u:26d6c07c1c][b:26d6c07c1c]hijackthis:[/b:26d6c07c1c][/u:26d6c07c1c]
Logfile of HijackThis v1.99.1
Scan saved at 22:34:01, on 6-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
C:\Program Files\Webshots\webshots.scr
C:\hijack\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnnnki.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A32344BE-8F6B-47AF-A1DC-D45AA5214717} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Spamihilator.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://83.167.223.15/admin/jre-1_5_0_10-windows-i586-p.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA03BC1-C11E-469F-93BD-B537B68CDD3D}: NameServer = 62.58.50.5,62.58.50.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F199EE0-82F6-4C22-91DA-42DA6B8B6423}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: opnnnki - C:\WINDOWS\SYSTEM32\opnnnki.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PETER Connects Audio Service (PcaAudioService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaAudioService.exe
O23 - Service: PETER Connects Telephone List Loading Utility service (PcaLdb1Service) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaLdb1Service.exe
O23 - Service: PETER Connects Main service (PcaMainService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaMainService.EXE
O23 - Service: PETER Connects Management service (PcaMngtService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaMngtService.exe
O23 - Service: PETER Connects TAPI Interface service (PcaTapiService) - JDM Software BV - Maassluis - The Netherlands. - C:\Program Files\PETER Connects\Programs\PcaTapiService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
[u:26d6c07c1c][b:26d6c07c1c]en combofix:[/b:26d6c07c1c][/u:26d6c07c1c]
ComboFix 08-01-07.5 - blomk 2008-01-07 22:22:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.833 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\blomk.KEN.000\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\blomk.KEN.000\Application Data\inst.exe
C:\WINDOWS\system32\lonpo.ini
C:\WINDOWS\system32\lonpo.ini2
.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))
.
2008-01-07 22:21 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
2008-01-07 22:14 . 2008-01-07 22:14 <DIR> d——– C:\Program Files\Trend Micro
2008-01-06 22:36 . 2008-01-06 22:36 314,720 –a—— C:\WINDOWS\system32\opnol.dll
2008-01-06 22:00 . 2008-01-06 22:28 <DIR> d——– C:\VundoFix Backups
2008-01-06 11:54 . 2008-01-06 11:54 <DIR> d——– C:\Program Files\ZyDAS Technology Corporation
2008-01-06 11:54 . 2003-04-23 19:25 61,440 –a—— C:\WINDOWS\system32\ZDTRLib.DLL
2008-01-06 11:54 . 2002-10-29 17:35 61,440 –a—— C:\WINDOWS\system32\ZDN50.dll
2008-01-06 11:54 . 2003-04-23 19:25 49,152 –a—— C:\WINDOWS\system32\ZD12APP.dll
2008-01-06 11:54 . 2003-05-15 18:29 38,656 –a—— C:\WINDOWS\system32\drivers\ZD1201U.sys
2008-01-06 11:54 . 2003-05-12 14:56 25,088 –a—— C:\WINDOWS\system32\UNZD1201.exe
2008-01-06 11:54 . 2003-03-14 12:24 24,576 –a—— C:\WINDOWS\system32\ZyDelReg.exe
2008-01-06 11:54 . 2003-05-23 17:53 24,576 –a—— C:\WINDOWS\system32\KZDAPP.exe
2008-01-06 11:54 . 2003-05-21 17:34 24,576 –a—— C:\WINDOWS\system32\InsDrvZD.dll
2008-01-06 11:54 . 2002-10-30 11:43 16,157 –a—— C:\WINDOWS\system32\ZDNDIS5.sys
2008-01-05 17:36 . 2008-01-05 17:36 <DIR> d——– C:\Program Files\Microsoft.NET
2008-01-05 17:36 . 2008-01-05 17:36 <DIR> d——– C:\Program Files\Microsoft Works
2008-01-05 17:36 . 2008-01-05 17:36 <DIR> dr-h—– C:\MSOCache
2008-01-05 17:35 . 2008-01-05 17:35 <DIR> d——– C:\Program Files\RankingCounter
2008-01-05 17:35 . 2008-01-05 17:35 <DIR> d——– C:\os-call
2008-01-05 17:35 . 2008-01-05 17:35 <DIR> d——– C:\DutchPornPosters posten - FTD 471320 - BigTitsBoss - Shyla Dicktating - 27-08-2007 - BigTitsBoss-Shyla_Dicktatingnzb
2008-01-05 17:35 . 2008-01-05 17:35 <DIR> d——– C:\debian
2008-01-05 16:22 . 2008-01-05 17:34 <DIR> d—s—- C:\Documents and Settings\————\ASPNET
2008-01-05 13:52 . 2008-01-05 13:52 <DIR> d——– C:\Program Files\Microsoft(2).NET
2008-01-05 13:50 . 2008-01-05 13:50 <DIR> d——– C:\Program Files\MSXML 6.0
2008-01-05 13:46 . 2008-01-05 13:52 <DIR> d——– C:\Program Files\Microsoft SQL Server
2008-01-05 13:01 . 2008-01-05 13:01 <DIR> d——– C:\Program Files\Solarwinds
2008-01-05 12:57 . 2001-07-21 22:23 8,002 –a—— C:\WINDOWS\system32\smtpctrs.h
2008-01-05 12:57 . 2001-07-21 22:23 773 –a—— C:\WINDOWS\system32\ntfsdrct.h
2008-01-05 12:55 . 2001-09-07 14:00 5,379 –a—— C:\WINDOWS\system32\w3ctrs.h
2008-01-05 12:55 . 2001-09-07 14:00 3,276 –a—— C:\WINDOWS\system32\infoctrs.h
2008-01-05 12:55 . 2001-09-07 14:00 2,024 –a—— C:\WINDOWS\system32\axctrnm.h
2008-01-05 12:49 . 2008-01-05 12:49 <DIR> d——– C:\Documents and Settings\blomk.KEN.000\Application Data\SolarWinds
2008-01-05 12:46 . 2008-01-05 12:46 <DIR> d——– C:\Program Files\MSBuild
2008-01-05 12:38 . 2008-01-05 17:35 <DIR> d——– C:\WINDOWS\system32\XPSViewer
2008-01-05 12:37 . 2008-01-05 12:37 <DIR> d——– C:\Program Files\Reference Assemblies
2008-01-05 12:28 . 2008-01-05 12:28 <DIR> d——– C:\solarwinds
2008-01-05 12:07 . 2008-01-05 17:35 <DIR> d——– C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-03 22:25 . 2008-01-03 22:28 <DIR> d——– C:\voip-module
2007-12-23 19:47 . 2008-01-05 17:37 <DIR> d——– C:\Program Files\ZyDAS Technology Corporation(2)
2007-12-23 19:06 . 2003-04-25 15:17 70,388 ——— C:\WINDOWS\system32\drivers\WS01UPH.bin
2007-12-16 20:56 . 2007-12-16 20:56 24,336 ——— C:\WINDOWS\system32\opnnnki.dll
2007-12-08 20:12 . 2007-12-08 20:12 0 –a—— C:\WINDOWS\nsreg.dat
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 21:38 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\Spamihilator
2008-01-07 21:37 ——— d—–w C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\VMware
2008-01-07 21:37 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\VMware
2008-01-06 10:54 ——— d–h–w C:\Program Files\InstallShield Installation Information
2008-01-05 16:37 ——— d—–w C:\Program Files\DartManager
2008-01-05 16:36 ——— d—–w C:\Program Files\Net Tools
2008-01-05 16:36 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-01-05 16:35 ——— d—–w C:\Program Files\Round Robin Scheduler 4.0
2008-01-04 21:24 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\GrabIt
2007-12-26 11:08 ——— d—–w C:\Program Files\Common Files\Galactix Software
2007-12-05 19:40 ——— d—–w C:\Program Files\SpeedFan
2007-12-01 18:55 ——— d—–w C:\Program Files\GrabIt
2007-11-30 20:56 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\Wireshark
2007-11-30 20:41 ——— d—–w C:\Program Files\Wireshark
2007-11-30 20:40 ——— d—–w C:\Program Files\WinPcap
2007-11-25 12:41 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\VMware
2007-11-25 10:38 737,280 —-a-w C:\WINDOWS\iun6002.exe
2007-11-25 10:38 ——— d—–w C:\Program Files\WYSIWYG Web Builder 4 NL
2007-11-20 18:35 1,529,790 —-a-w C:\mrtg-2.9.29.zip
2007-11-18 21:32 ——— d—–w C:\Program Files\DVD Shrink
2007-11-18 21:32 ——— d—–w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2007-11-17 11:02 ——— d—–w C:\Program Files\Lavasoft
2007-11-17 11:02 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\Lavasoft
2007-11-17 10:59 ——— d—–w C:\Program Files\DynGate
2007-11-10 19:03 ——— d—–w C:\Program Files\Activision
2007-11-10 15:52 22,328 —-a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-10 15:52 22,328 —-a-w C:\Documents and Settings\blomk.KEN.000\Application Data\PnkBstrK.sys
2007-11-10 15:51 66,872 —-a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-10 15:51 103,736 —-a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-09 21:31 ——— d—–w C:\Program Files\PETER Connects
2007-11-09 21:28 94,208 —-a-w C:\Documents and Settings\blomk.KEN.000\Application Data\ezplay.sys
2007-11-09 21:28 47,360 —-a-w C:\Documents and Settings\blomk.KEN.000\Application Data\pcouffin.sys
2007-11-09 21:28 ——— d—–w C:\Documents and Settings\blomk.KEN.000\Application Data\Vso
2007-11-09 21:25 ——— d—–w C:\Program Files\Rainbow Technologies
2007-11-09 19:23 94,208 —-a-w C:\WINDOWS\system32\drivers\ezplay.sys
2007-11-09 19:23 47,360 —-a-w C:\WINDOWS\system32\drivers\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2007-12-16 20:56 24336 ——— C:\WINDOWS\system32\opnnnki.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F5C8DCE-6E85-432D-8E79-8C28EAA9FEF3}]
2008-01-06 22:36 314720 –a—— C:\WINDOWS\system32\opnol.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A32344BE-8F6B-47AF-A1DC-D45AA5214717}]
C:\WINDOWS\system32\gebya.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ulutil2.dll" [2003-11-05 19:06 110592 C:\WINDOWS\system32\ulutil2.dll]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2001-09-24 06:59 73728]
"Cmaudio"="cmicnfg.cpl" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 08:12 90112]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2007-08-09 15:34 651264]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]
C:\Documents and Settings\blomk.KEN\Menu Start\Programma's\Opstarten\
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2007-09-17 18:04:02]
C:\Documents and Settings\blomk.KEN.000\Menu Start\Programma's\Opstarten\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2006-04-03 18:19:21]
C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\
Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56]
Spamihilator.lnk - C:\Program Files\Spamihilator\spamihilator.exe [2007-08-09 15:34:08]
VPN Client.lnk - C:\WINDOWS\Installer\{229205AC-74D7-4045-BE2E-F3276B498EF1}\Icon3E5562ED7.ico [2007-10-22 18:47:20]
ZDConfig.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe [2008-01-06 11:54:04]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\opnnnki.dll [2007-12-16 20:56 24336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnki]
opnnnki.dll 2007-12-16 20:56 24336 C:\WINDOWS\system32\opnnnki.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\opnol.dll
R0 DontGo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\drivers\DontGo.sys [2004-06-29 15:25]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\drivers\ulsata2.sys [2005-06-29 17:44]
R3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys [2003-05-15 18:29]
R3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 11:43]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 01:01]
S3 PcaAudioService;PETER Connects Audio Service;"C:\Program Files\PETER Connects\Programs\PcaAudioService.exe" [2007-10-23 13:18]
S3 PcaLdb1Service;PETER Connects Telephone List Loading Utility service;"C:\Program Files\PETER Connects\Programs\PcaLdb1Service.exe" [2007-10-23 13:16]
S3 PcaMainService;PETER Connects Main service;"C:\Program Files\PETER Connects\Programs\PcaMainService.EXE" [2007-10-23 14:22]
S3 PcaMngtService;PETER Connects Management service;"C:\Program Files\PETER Connects\Programs\PcaMngtService.exe" [2007-10-23 13:11]
S3 PcaTapiService;PETER Connects TAPI Interface service;"C:\Program Files\PETER Connects\Programs\PcaTapiService.exe" [2007-10-23 14:22]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" [2007-01-09 23:17]
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2006-10-22 04:30]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##bianca#d]
\Shell\AutoRun\command - Z:\Setup.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - H:\Directx\dxsetup.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 22:39:05
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
——————— DLLs Loaded Under Running Processes ———————
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnnnki.dll
-> C:\WINDOWS\system32\NavLogon.dll
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\opnol.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\opnol.dll
-> C:\WINDOWS\system32\opnnnki.dll
.
Voltooingstijd: 2008-01-07 22:46:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 21:46:22
ComboFix2.txt 2007-06-02 11:13:47
ComboFix3.txt 2007-05-28 18:42:07
ComboFix4.txt 2007-05-28 11:49:44
Thanks
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.