Vraag & Antwoord

Beveiliging & privacy

Trojan.vundo

Anoniem
M@rc
72 antwoorden
  • Post de nieuwe log van ComboFix.
  • "Admin" - 2008-05-01 15:58:12 Service Pack 2 [SAFE MODE]
    ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Admin\"
    Command switches used :: ""C:\Documents and Settings\Admin\Bureaublad\CFScript.txt""


    ((((((((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 ))))))))))))))))))))))))))))))))))


    2008-05-01 12:12 <DIR> d——– C:\VundoFix Backups
    2008-05-01 11:54 107,072 –a—— C:\WINDOWS\system32\ahmmqqae.dll
    2008-05-01 11:53 107,072 –a—— C:\WINDOWS\system32\pwfnpetw.dll
    2008-05-01 11:45 89,070 –a—— C:\WINDOWS\system32\myss_sb_uninstall.exe
    2008-05-01 11:42 <DIR> d——– C:\DOCUME~1\NETWOR~1\Mijn documenten
    2008-05-01 11:26 88,560 -ra—— C:\WINDOWS\system32\drivers\K320mgmt.sys
    2008-04-30 23:49 283,136 ——— C:\WINDOWS\system32\qoMcdCTn.dll
    2008-04-30 23:49 198,501 –ahs—- C:\WINDOWS\system32\nTCdcMoq.ini2
    2008-04-30 23:44 0 –a—— C:\WINDOWS\system32\taskkill.exe
    2008-04-30 23:44 <DIR> d–hs—- C:\DOCUME~1\Admin\!
    2008-04-30 23:43 858 –a—— C:\WINDOWS\system32\winpfz33.sys
    2008-04-30 23:42 88,961 –a—— C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    2008-04-30 23:42 298,311 –a—— C:\WINDOWS\system32\gside.exe
    2008-04-30 23:41 87,423 –a—— C:\Temp\oRUsa080.exe
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\pnVes05
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\jp7
    2008-04-30 23:41 <DIR> d——– C:\WINDOWS\system32\dn4
    2008-04-30 23:41 <DIR> d——– C:\Temp\zvebs14
    2008-04-30 23:41 <DIR> d——– C:\Temp\1cb
    2008-04-30 23:41 <DIR> d——– C:\Temp
    2008-04-23 00:29 41,296 –a—— C:\WINDOWS\system32\xfcodec.dll
    2008-04-22 18:36 86,368 -ra—— C:\WINDOWS\system32\drivers\K320obex.sys
    2008-04-22 14:58 <DIR> d——– C:\Program Files\Common Files\Authentium
    2008-04-20 15:45 97,056 -ra—— C:\WINDOWS\system32\drivers\K320mdm.sys
    2008-04-20 15:45 9,328 -ra—— C:\WINDOWS\system32\drivers\K320mdfl.sys
    2008-04-20 15:45 61,504 -ra—— C:\WINDOWS\system32\drivers\K320bus.sys
    2008-04-20 15:45 6,208 -ra—— C:\WINDOWS\system32\drivers\K320cmnt.sys
    2008-04-20 15:45 6,208 -ra—— C:\WINDOWS\system32\drivers\K320cm.sys
    2008-04-20 15:45 5,840 -ra—— C:\WINDOWS\system32\drivers\K320whnt.sys
    2008-04-20 15:45 5,840 -ra—— C:\WINDOWS\system32\drivers\K320wh.sys
    2008-04-20 15:44 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Teleca
    2008-04-20 15:44 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Sony Ericsson
    2008-04-20 15:40 <DIR> d——– C:\DOCUME~1\ALLUSE~1\Documents
    2008-04-20 15:39 <DIR> d——– C:\Program Files\Sony Ericsson
    2008-04-20 15:39 <DIR> d——– C:\Program Files\Common Files\Teleca Shared
    2008-04-20 15:39 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
    2008-04-20 15:39 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
    2008-04-10 14:53 <DIR> d——– C:\DOCUME~1\Admin\APPLIC~1\Leadertech
    2008-04-02 17:50 <DIR> d——– C:\Program Files\VideoLAN


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2008-05-01 09:45:09 ——– d—–w C:\Program Files\Hitman Pro
    2008-05-01 09:28:30 ——– d—–w C:\Program Files\SUPERAntiSpyware
    2008-04-30 21:32:26 ——– d—–w C:\Program Files\Windows Media Connect 2
    2008-04-30 21:24:54 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Xfire
    2008-04-30 17:57:13 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Bioshock
    2008-04-29 12:14:35 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\Azureus
    2008-04-26 12:43:49 ——– d—–w C:\Program Files\Winamp Remote
    2008-04-21 11:16:30 ——– d–h–w C:\Program Files\InstallShield Installation Information
    2008-04-18 19:39:27 ——– d—–w C:\Program Files\Azureus
    2008-04-14 13:45:19 ——– d—–w C:\Program Files\DivX
    2008-04-12 16:34:50 83,854 —-a-w C:\WINDOWS\system32\perfc013.dat
    2008-04-12 16:34:50 472,888 —-a-w C:\WINDOWS\system32\perfh013.dat
    2008-04-10 09:35:32 409,600 —-a-w C:\WINDOWS\system32\wrap_oal.dll
    2008-04-10 09:35:32 114,688 —-a-w C:\WINDOWS\system32\OpenAL32.dll
    2008-04-02 15:52:55 ——– d—–w C:\DOCUME~1\Admin\APPLIC~1\vlc
    2008-03-31 21:25:52 161,096 —-a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-03-31 21:25:48 823,296 —-a-w C:\WINDOWS\system32\divx_xx0c.dll
    2008-03-31 21:25:48 823,296 —-a-w C:\WINDOWS\system32\divx_xx07.dll
    2008-03-31 21:25:46 831,488 —-a-w C:\WINDOWS\system32\divx_xx0a.dll
    2008-03-31 21:25:46 802,816 —-a-w C:\WINDOWS\system32\divx_xx11.dll
    2008-03-31 21:25:46 682,496 —-a-w C:\WINDOWS\system32\DivX.dll
    2008-03-21 20:30:12 524,288 —-a-w C:\WINDOWS\system32\DivXsm.exe
    2008-03-21 20:30:08 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-03-21 20:30:00 200,704 —-a-w C:\WINDOWS\system32\ssldivx.dll
    2008-03-21 20:30:00 1,044,480 —-a-w C:\WINDOWS\system32\libdivx.dll
    2008-03-21 20:28:54 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2008-03-21 20:28:54 196,608 —-a-w C:\WINDOWS\system32\dtu100.dll
    2008-03-21 20:28:52 53,248 —-a-w C:\WINDOWS\system32\dpuGUI10.dll
    2008-03-21 20:28:50 593,920 —-a-w C:\WINDOWS\system32\dpuGUI11.dll
    2008-03-21 20:28:50 57,344 —-a-w C:\WINDOWS\system32\dpv11.dll
    2008-03-21 20:28:50 344,064 —-a-w C:\WINDOWS\system32\dpus11.dll
    2008-03-21 20:28:50 294,912 —-a-w C:\WINDOWS\system32\dpu11.dll
    2008-03-21 20:28:50 294,912 —-a-w C:\WINDOWS\system32\dpu10.dll
    2008-03-21 20:28:20 12,288 —-a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-03-20 08:10:47 1,845,376 —-a-w C:\WINDOWS\system32\win32k.sys
    2008-02-21 02:05:38 129,784 ——w C:\WINDOWS\system32\pxafs.dll
    2008-02-21 02:05:38 120,056 ——w C:\WINDOWS\system32\pxcpyi64.exe
    2008-02-21 02:05:38 118,520 ——w C:\WINDOWS\system32\pxinsi64.exe
    2008-02-20 06:51:59 282,624 —-a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:39:05 45,568 —-a-w C:\WINDOWS\system32\dnsrslvr.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {0DBE9761-3CDC-4C0F-BB31-7AF8756CF594}=C:\WINDOWS\system32\qoMcdCTn.dll [2008-04-30 23:49]
    {3930ccb2-59db-44cb-ae85-6eb5f3b3bd52}=C:\WINDOWS\system32\ahmmqqae.dll [2008-05-01 11:54]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
    "RTHDCPL"="RTHDCPL.EXE" []
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
    "Preventon RealTime Antivirus"="C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe" [2008-03-18 11:41]
    "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 01:12]
    "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 01:13]
    "LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-06 17:43]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41]
    "nwiz"="nwiz.exe" [2007-12-05 02:41 C:\WINDOWS\system32\nwiz.exe]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
    "BM538ace70"="C:\WINDOWS\system32\pwfnpetw.dll" [2008-05-01 11:53]
    "50b9fdec"="C:\WINDOWS\system32\icwnfkvc.dll" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
    "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-01 20:25]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27]
    "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 14:20]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 16:16]
    "Fraps"="C:\FILMS\FRAPS\FRAPS.EXE" [2006-06-18 15:54]
    "Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 22:02]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "WatchDog"=C:\Program Files\WatchDog\watchdog.exe /.

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"=

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispAppearancePage"=0 (0x0)
    "NoDispBackgroundPage"=0 (0x0)
    "NoDispScrSavPage"=0 (0x0)
    "NoDispSettingsPage"=0 (0x0)
    "NoDispCPL"=0 (0x0)
    "DisableCMD"=0 (0x0)
    "DisableLockWorkstation"=0 (0x0)
    "DisableChangePassword"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoFavoritesMenu"=0 (0x0)
    "NoCommonGroups"=0 (0x0)
    "NoLogOff"=0 (0x0)
    "NoStartMenuSubFolders"=0 (0x0)
    "NoSetTaskBar"=0 (0x0)
    "NoSetFolders"=0 (0x0)
    "NoRecentDocsMenu"=0 (0x0)
    "NoSMHelp"=0 (0x0)
    "NoNetworkConnections"=0 (0x0)
    "NoSMMyDocs"=0 (0x0)
    "NoSetActiveDesktop"=0 (0x0)
    "NoActiveDesktopChanges"=0 (0x0)
    "NoSaveSettings"=0 (0x0)
    "NoClose"=0 (0x0)
    "NoNetConnectDisconnect"=0 (0x0)
    "NoTrayContextMenu"=0 (0x0)
    "NoViewContextMenu"=0 (0x0)
    "NoWinKeys"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages msv1_0 C:\WINDOWS\system32\qoMcdCTn

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Menu Start^Programma's^Opstarten^GameSpot Download Manager.lnk]
    path=C:\Documents and Settings\Admin\Menu Start\Programma's\Opstarten\GameSpot Download Manager.lnk
    backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech Desktop Messenger.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Logitech Desktop Messenger.lnk
    backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag]
    C:\Documents and Settings\All Users\Application Data\Global seek 2 up\knobnew.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    "C:\Program Files\BitTorrent\bittorrent.exe" –force_start_minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom]
    C:\DOCUME~1\Admin\APPLIC~1\INSIDE~1\idle grid.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
    C:\WINDOWS\system32\tcntrkdm.exe DWram

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
    C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
    rundll32.exe "C:\WINDOWS\system32\qsjklxbg.dll",realset

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    "C:\Spellen\Counterstrike Source\Steam.exe" -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    C:\Program Files\WatchDog\watchdog.exe /.

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "C:\Program Files\Save\Save.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
    "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW}]
    c:\windows\system32\rwwnw64d.exe DWram


    ********************************************************************

    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-01 16:04:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0


    ********************************************************************

    Completion time: 2008-05-01 16:09:22
    C:\ComboFix-quarantined-files.txt … 2008-05-01 16:09
    C:\ComboFix2.txt … 2008-05-01 15:37
    C:\ComboFix3.txt … 2008-05-01 15:21

    — E O F —
  • Kan je starten in gewone windows modus en dan de instructies uitvoeren Niek?
    Of lukt dat niet?
  • Als ik mijn pc normaal opstart krijg ik geen foutmelding, een blauw scherm krijg ik te zien en de pc start terug op en gaat dan naar het menu waar je kan selecteren of je normaal op wilt starten, of veilige modus.
  • Rechtsklik op "Deze computer".
    Kies Eigenschappen.
    Ga naar het tabblad Geavanceerd.
    Bij Opstart en herstelinstellingen klik je op "Instellingen".
    Haal het vinkje weg bij "De computer automatisch opnieuw starten".
    Plaats een vinkje bij "Een gebeurtenis in het systeemlogboek vastleggen".
    Bij foutopsporingsgevens vastleggen selecteer je "Geen".
    Klik op "Ok" en klik nog een keer op "Ok".
    Herstart de computer.

    Post de inhoud van het blauwe scherm dat je krijgt.
  • Als ik dit wil doen krijg ik hetvolgende bericht;

    Het onderdeel Systeem van Configuratiescherm.

    Windows kan alleen beheerderssignalen verzenden als de Alerter-service actief is.

    En vervolgens hoe ik die service kan activeren. Moet ik dit doen of negeren?
  • Probeer het te activeren.
  • Ik heb het kunnen vinden, en er staat dat die automatisch opstart. Ik heb wel gezien dat de status is gestopt. Toen ik het aan wilde zetten kreeg ik een melding dat die niet in veilige modus beschikbaar is.
  • Ik hebmijn pc opnieuw opgestart nadat ik het heb uitgevoerd in the opstart- en herstelinstellingen.

    Toch starte mijn pc automatisch opnieuw op, en kreeg ik het blauwe scherm maar tijdelijk te zien voordat de pc opnieuw opstarte.
  • Ik vreesde het al een beetje.

    Kan je de computer starten in normale windowsmode met de laatst goed werkende configuratie?
  • Heb ik geprobeerd. Na het windows laadscherm bleef mijn pc hangen op een zwart scherm. (Daar waar als ik normaal op probeer te starten het blauwe scherm krijg en meteen de pc opnieuw opgestart word)
  • Wanneer zijn de problemen begonnen dat je niet meer kon booten in normale windowsmode?
    Voor het gebruik van ComboFix of er na?
  • Daarvoor al, Ik kreeg gisteravond een melding dat er een virus gevonden was. Dus vanochtend besloot ik op mijn pc te scannen. Toen werkte Taakbeheer al niet en tijdens het scannen verdween mijn taakbalk (explorer.exe) en mijn gehele bureaublad.

    Nadat de scan klaar was moest de pc opnieuw opgestart worden, en sindsdien kan ik niet meer normaal opstarten en heb ik via veilige modus ComboFix uitgevoert. Het scanlogje van desbetreffende scanner heb ik een paar posts geleden in de thread geplaats.
  • Dat explorer.exe verdwijnt en je bureaublad is normaal bij deze infectie.

    Probeer dit even.

    Download The Avanger en plaats het op je bureaublad: http://swandog46.geekstogo.com/avenger2/download.php
    Unzip het.
    Start het programma door op avenger.exe te klikken.
    In het venster "Input Script here", plak je het volgende (vetgedrukte):
    [b:34d5ea5d53]
    Files to delete:
    C:\WINDOWS\system32\ahmmqqae.dll
    C:\WINDOWS\system32\pwfnpetw.dll
    C:\WINDOWS\system32\qoMcdCTn.dll
    C:\WINDOWS\system32\nTCdcMoq.ini2
    C:\WINDOWS\system32\winpfz33.sys
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\gside.exe
    C:\Temp\oRUsa080.exe

    Folders to delete:
    C:\VundoFix Backups
    C:\Temp\zvebs14
    C:\Temp\1cb

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E}
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW}

    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec

    [/b:34d5ea5d53]

    Klik daarna op de knop "Execute".
    Avenger zal aangeven dat de computer gaat herstarten, sta dit toe.
    Na reboot opent een logfile (avenger .txt). Post de inhoud van de logfile.
  • Ik krijg een error message;

    Error: Invalid script. A valid script must begin with a command directive. Aborting execution.

    dit is het script;


    Files to delete:
    C:\WINDOWS\system32\ahmmqqae.dll
    C:\WINDOWS\system32\pwfnpetw.dll
    C:\WINDOWS\system32\qoMcdCTn.dll
    C:\WINDOWS\system32\nTCdcMoq.ini2
    C:\WINDOWS\system32\winpfz33.sys
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\gside.exe
    C:\Temp\oRUsa080.exe

    Folders to delete:
    C:\VundoFix Backups
    C:\Temp\zvebs14
    C:\Temp\1cb

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E}
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW}

    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Hier is het logje van de mislukte poging;

    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:00:36 2008

    20:00:36: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////
  • Dit moet de eerste lijn zijn in het script:
    [b:958bbbd412]Files to delete: [/b:958bbbd412]
  • [quote:4301057bfa="Niek van gastel"]
    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[/quote:4301057bfa]

    Let op:
    Moet zijn:
    [b:4301057bfa]Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec
    [/b:4301057bfa]
  • Bedankt, niet alles gekopierd.

    Ondanks de gehele regel krijg ik dezelfde foutmelding.

    Dit is het script dat ik probeer uit te voeren;

    Files to delete:
    C:\WINDOWS\system32\ahmmqqae.dll
    C:\WINDOWS\system32\pwfnpetw.dll
    C:\WINDOWS\system32\qoMcdCTn.dll
    C:\WINDOWS\system32\nTCdcMoq.ini2
    C:\WINDOWS\system32\winpfz33.sys
    C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    C:\WINDOWS\system32\gside.exe
    C:\Temp\oRUsa080.exe

    Folders to delete:
    C:\VundoFix Backups
    C:\Temp\zvebs14
    C:\Temp\1cb

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E}
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW}

    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec

    Hier is het logje van de mislukte poging;

    //////////////////////////////////////////
    Avenger Pre-Processor log
    //////////////////////////////////////////

    Platform: Windows XP (build 2600, Service Pack 2)
    Thu May 01 20:00:36 2008

    20:00:36: Error: Invalid script. A valid script must begin with a command directive.
    Aborting execution!


    //////////////////////////////////////////
  • Het script wat ik je geef is correct.
    Het moet werken!
  • Pc opnieuw opgestart en opnieuw geprobeerd, deze keer met succes.

    Hier het logje;

    Logfile of The Avenger Version 2.0, © by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File "C:\WINDOWS\system32\ahmmqqae.dll" deleted successfully.
    File "C:\WINDOWS\system32\pwfnpetw.dll" deleted successfully.
    File "C:\WINDOWS\system32\qoMcdCTn.dll" deleted successfully.
    File "C:\WINDOWS\system32\nTCdcMoq.ini2" deleted successfully.
    File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully.
    File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully.
    File "C:\WINDOWS\system32\gside.exe" deleted successfully.
    File "C:\Temp\oRUsa080.exe" deleted successfully.
    Folder "C:\VundoFix Backups" deleted successfully.
    Folder "C:\Temp\zvebs14" deleted successfully.
    Folder "C:\Temp\1cb" deleted successfully.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.