Pc -na mislukte update SP2- vol met malware en virussen.
Eigenlijk niet te verwijderen.
(Meerdere) virusscanner kunnen niet eens geinstalleerd. (oa. foutmelding over veranderd bestand)

Met mailwarebytes komen er steeds weer nieuwe (?) trojans en dialers etc. boven water.

In het begin ( alleen maar blauwe schermen en alleen af en toe toegang in veilige modus. Toen was alle belangrijke data al weg. ) Reparatie XP gedaan.
Enkele mappen zijn toen overschreven enkele niet.
( Wat onbelangrijke gebleven , wat belangrijke overschreven..)

Ik hoopte met een goed recoveryprogramma nog wat terug te halen maar zonder succes tot nu toe. Ik kan kan geen gevegevens meet lezen ( oa de bootsector kapot )

Wat is de beste manier van aanpakken ???

Begin eens met een hijackhtis logje te plaatsen aub.

* Download [b:1b2142282e]Trend Micro Hijack This™[/b:1b2142282e]
Dubbelklik [b:1b2142282e]HJTInstall.exe[/b:1b2142282e] om HijackThis te installeren.
Standaard zal HijackThis in de Program Files\Trendmicro map geïnstalleerd worden en een snelkoppeling zal op je bureaublad komen te staan.
HijackThis zal openen na het installeren.
Klik de [b:1b2142282e]Scan[/b:1b2142282e] knop onderaan.
Dit zal de scan starten en een log openen.
Kopieer en plak deze log in je volgende post

Geen foutmeldingen.

wel blijken alle exe bestanden bsmet.
(heb scan van de externe HD op een andere computer gedaan)
Kan geen image en of recoverysoftware op de besmette PC installen.
(foutmeldingen)

Dus geen idee meer hoe event. data nog eraf te halen…

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 1

22-4-2009 13:31:27
mbam-log-2009-04-22 (13-31-27).txt

Scan type: Full Scan (C:\|E:\|G:\|)
Objects scanned: 72959
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

misschien ook interessant:
logje Trojan Remover:

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.8.2575. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 14:58:33 22 apr 2009
Using Database v7318
Operating System: Windows XP Professional (SP1) [Build: 5.1.2600]
File System: FAT32
UserData directory: C:\Documents and Settings\a\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\a\Mijn documenten\Simply Super Software\Trojan Remover Logfiles\
Program directory: g:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
14:58:33: —– SCANNING FOR ROOTKIT SERVICES —–
Hidden Service Keyname: ovfsthxwwyksibe
Hidden Service: \systemroot\system32\drivers\ovfsthxvxjcbxhe.sys
C:\WINDOWS\system32\drivers\ovfsthxvxjcbxhe.sys
83456 bytes
Modified: 19-4-2009 21:52
Company: Microsoft Corporation
File appears to be hidden using rootkit techniques
Entry has been scheduled for deletion when the PC is restarted
C:\WINDOWS\system32\drivers\ovfsthxvxjcbxhe.sys - file backed up to C:\WINDOWS\system32\drivers\ovfsthxvxjcbxhe.sys.vir
C:\WINDOWS\system32\drivers\ovfsthxvxjcbxhe.sys - file has been erased using RAW erasure
———-

************************************************************
14:59:11: Scanning —–WINDOWS REGISTRY—–
——————–
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1024000 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
———-
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
33280 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
C:\WINDOWS\system32\userinit.exe - this userinit.exe file is either the wrong size, or has missing/incorrect version information
C:\WINDOWS\system32\userinit.exe - cannot restore a good copy of this file
———-
This key's "System" value appears to be blank
———-
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\System32\logonui.exe
548864 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
———-
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
——————–
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: TrojanScanner
Value Data: g:\Program Files\Trojan Remover\Trjscan.exe /boot
g:\Program Files\Trojan Remover\Trjscan.exe
1206664 bytes
Created: 22-4-2009 14:44
Modified: 18-4-2009 18:45
Company: Simply Super Software
——————–
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
——————–
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
——————–
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key appears to be empty
——————–
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
——————–
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
——————–
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
——————–
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty

************************************************************
15:03:00: Scanning —–SHELLEXECUTEHOOKS—–
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
———-

************************************************************
15:03:00: Scanning —–HIDDEN REGISTRY ENTRIES—–
Taskdir check completed
———-
No Hidden File-loading Registry Entries found
———-

************************************************************
15:03:00: Scanning —–ACTIVE SCREENSAVER—–
No active ScreenSaver found to scan.

************************************************************
15:03:00: Scanning —– REGISTRY ACTIVE SETUP KEYS —–
Key: {22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Path: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
C:\WINDOWS\INF\mplayer2.inf
37558 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: [no info]
———-
Key: {306D6C21-C1B6-4629-986C-E59E1875B8AF}
Path: "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser
C:\WINDOWS\System32\rundll32.exe
76288 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
———-

************************************************************
15:03:01: Scanning —– SERVICEDLL REGISTRY KEYS —–
Key: BITS
Path: %systemroot%\system32\qmgr.dll
C:\WINDOWS\system32\qmgr.dll
223232 bytes
Created: 15-4-2009 18:15
Modified: 9-9-2002 15:08
Company: Microsoft Corporation
——————–
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
——————–
Key: RpcSs
Path: %SystemRoot%\System32\rpcss.dll
C:\WINDOWS\System32\rpcss.dll
260608 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
——————–
Key: WmdmPmSp
Path: C:\WINDOWS\System32\mspmspsv.dll
C:\WINDOWS\System32\mspmspsv.dll
47104 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
Key: wuauserv
Path: C:\WINDOWS\System32\wuauserv.dll
C:\WINDOWS\System32\wuauserv.dll
9216 bytes
Created: 15-4-2009 18:13
Modified: 9-9-2002 15:08
Company: Microsoft Corporation
——————–

************************************************************
15:03:03: Scanning —– SERVICES REGISTRY KEYS —–
Key: apkf091
ImagePath: \SystemRoot\System32\drivers\apkf091.sys
C:\WINDOWS\System32\drivers\apkf091.sys - [file not found to scan]
———-
Key: catchme
ImagePath: \??\C:\ComboFix\catchme.sys - this file is globally excluded
———-
Key: CnxEtP
ImagePath: System32\DRIVERS\CnxEtP.sys
C:\WINDOWS\System32\DRIVERS\CnxEtP.sys
60288 bytes
Created: 16-4-2009 23:48
Modified: 16-4-2009 23:48
Company: Conexant
———-
Key: CnxEtU
ImagePath: System32\DRIVERS\CnxEtU.sys
C:\WINDOWS\System32\DRIVERS\CnxEtU.sys
646400 bytes
Created: 16-4-2009 23:48
Modified: 16-4-2009 23:48
Company: Conexant
———-
Key: CnxTgN
ImagePath: System32\DRIVERS\CnxTgN.sys
C:\WINDOWS\System32\DRIVERS\CnxTgN.sys
103622 bytes
Created: 16-4-2009 23:48
Modified: 16-4-2009 23:48
Company: Conexant Systems Inc.
———-
Key: hcr306d
ImagePath: \SystemRoot\System32\drivers\hcr306d.sys
C:\WINDOWS\System32\drivers\hcr306d.sys - [file not found to scan]
———-
Key: iyqesms
ImagePath: System32\drivers\rrjemkna.sys
C:\WINDOWS\System32\drivers\rrjemkna.sys - [file not found to scan]
———-
Key: Norman ZANDA
ImagePath: "g:\VIRUSfighter\Bin\Zanda.exe"
g:\VIRUSfighter\Bin\Zanda.exe - [file not found to scan]
———-
Key: Secdrv
ImagePath: System32\DRIVERS\secdrv.sys
C:\WINDOWS\System32\DRIVERS\secdrv.sys - [file not found to scan]
———-
Key: SwPrv
ImagePath: C:\WINDOWS\System32\dllhost.exe /Processid:{52687FEC-8D71-4178-B5DC-D51CA0C6E816}
C:\WINDOWS\System32\dllhost.exe
147456 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
———-
Key: toj1b75
ImagePath: \SystemRoot\System32\drivers\toj1b75.sys
C:\WINDOWS\System32\drivers\toj1b75.sys - [file not found to scan]
———-
Key: tojf054
ImagePath: \SystemRoot\System32\drivers\tojf054.sys
C:\WINDOWS\System32\drivers\tojf054.sys - [file not found to scan]
———-
Key: trutil
ImagePath: \??\C:\DOCUME~1\a\LOCALS~1\Temp\trutil.sys - this file is a Trojan Remover component
———-
Key: viagfx
ImagePath: System32\DRIVERS\vtmini.sys
C:\WINDOWS\System32\DRIVERS\vtmini.sys
-R- 265344 bytes
Created: 16-4-2009 23:16
Modified: 11-8-2003 8:09
Company: Copyright (C) VIA/S3 Graphics, Inc.
———-

************************************************************
15:03:05: Scanning —–VXD ENTRIES—–

************************************************************
15:03:05: Scanning —– WINLOGON\NOTIFY DLLS —–

************************************************************
15:03:05: Scanning —– CONTEXTMENUHANDLERS —–
Key: ShellExtension
CLSID: [empty]
———-
Key: Trojan Remover
CLSID: {52B87208-9CCF-42C9-B88E-069281105805}
Path: g:\PROGRA~1\TROJAN~1\Trshlex.dll
g:\PROGRA~1\TROJAN~1\Trshlex.dll
467552 bytes
Created: 22-4-2009 14:44
Modified: 5-2-2007 20:26
Company: Simply Super Software
———-

************************************************************
15:03:05: Scanning —– FOLDER\COLUMNHANDLERS —–

************************************************************
15:03:05: Scanning —– BROWSER HELPER OBJECTS —–
No Browser Helper Objects found to scan

************************************************************
15:03:05: Scanning —– SHELLSERVICEOBJECTS —–
Key: WebCheck
CLSID: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Path: %SystemRoot%\System32\webcheck.dll
C:\WINDOWS\System32\webcheck.dll
261120 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
———-
Key: SysTray
CLSID: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Path: %systemroot%\system32\stobject.dll
C:\WINDOWS\system32\stobject.dll
118272 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
———-

************************************************************
15:03:06: Scanning —– SHAREDTASKSCHEDULER ENTRIES —–

************************************************************
15:03:06: Scanning —– IMAGEFILE DEBUGGERS —–
No "Debugger" entries found.

************************************************************
15:03:06: Scanning —– APPINIT_DLLS —–
The AppInit_DLLs value is blank or does not exist

************************************************************
15:03:06: Scanning —– SECURITY PROVIDER DLLS —–

************************************************************
15:03:06: Scanning —— COMMON STARTUP GROUP ——
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini
-HS- 84 bytes
Created: 15-4-2009 17:58
Modified: 15-4-2009 18:19
Company: [no info]
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini - no action taken on this file
——————–

************************************************************
No User Startup Groups were located to check

************************************************************
15:03:06: Scanning —– SCHEDULED TASKS —–
No Scheduled Tasks found to scan

************************************************************
15:03:06: Scanning —– SHELLICONOVERLAYIDENTIFIERS —–

************************************************************
15:03:06: Scanning —– DEVICE DRIVER ENTRIES —–

************************************************************
15:03:07: —– ADDITIONAL CHECKS —–
PE386 rootkit checks completed
———-
Winlogon registry rootkit checks completed
———-
Heuristic checks for hidden files/drivers completed
———-
Layered Service Provider entries checks completed
———-
Windows Explorer Policies checks completed
———-
Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Ierland.bmp
C:\WINDOWS\web\wallpaper\Ierland.bmp
1440054 bytes
Created: 15-4-2009 18:17
Modified: 15-4-2009 18:17
Company: [no info]
———-
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Ierland.bmp
C:\WINDOWS\web\wallpaper\Ierland.bmp
1440054 bytes
Created: 15-4-2009 18:17
Modified: 15-4-2009 18:17
Company: [no info]
———-
Checks for rogue DNS NameServers completed
———-
———-
Additional checks completed

************************************************************
15:03:08: Scanning —– RUNNING PROCESSES —–

C:\WINDOWS\System32\smss.exe
45568 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
——————–
C:\WINDOWS\system32\csrss.exe
4096 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
C:\WINDOWS\system32\winlogon.exe
519168 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
——————–
C:\WINDOWS\system32\services.exe
101888 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
C:\WINDOWS\system32\lsass.exe
11776 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
——————–
C:\WINDOWS\system32\svchost.exe
12800 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
C:\WINDOWS\System32\svchost.exe - file already scanned
——————–
C:\WINDOWS\System32\svchost.exe - file already scanned
——————–
C:\WINDOWS\Explorer.EXE - file already scanned
——————–
C:\WINDOWS\System32\svchost.exe - file already scanned
——————–
C:\WINDOWS\system32\spoolsv.exe
62464 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
C:\WINDOWS\System32\alg.exe
53248 bytes
Created: 9-9-2002 13:08
Modified: 9-9-2002 13:08
Company: Microsoft Corporation
——————–
C:\WINDOWS\dhcp\svchost.exe
311808 bytes
Created: 21-4-2009 22:45
Modified: 21-4-2009 22:46
Company: [no info]
——————–
C:\WINDOWS\System32\dllhost.exe
147456 bytes
Created: 7-9-2001 10:00
Modified: 7-9-2001 10:00
Company: Microsoft Corporation
——————–
C:\WINDOWS\System32\msdtc.exe
50176 bytes
Created: 15-4-2009 18:13
Modified: 7-9-2001 12:00
Company: Microsoft Corporation
——————–
C:\Documents and Settings\a\Application Data\Simply Super Software\Trojan Remover\glo3.exe
FileSize: 2937720
[This is a Trojan Remover component]
——————–

************************************************************
15:03:18: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 15:03:18 22 apr 2009
Total Scan time: 00:04:45
————————————————————————-
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
22-4-2009 15:03:23: restart commenced
************************************************************

Ga naar Kaspersky Online Scanner

werkt helaas niet met deze XP ( sp1 ? )
Kan ook helaas niet op Internet…

Nog div Trojanscanners laten lopen.
500 besmette bestanden.

Met moeite gerepareerd..
Kom ik XP niet meer in "logonui.exe" probleem.

Nieuwe instal, nog steeds foutmeldingen…

mogenlijk is er ook hardware stuk.

Je kan ( en daar had ik het kaspersky log voor nodig) een file infector aan boord hebben, en dat betekent een format C omdat er geen remedie tegen is.

ja daar ben ik ook bang voor .
Ook Kaspersky draait niet..

Zal format c worden.
heel jammer van de bestanden..

dank voor het meedenken !

Je kunt de schijf eruit halen en inlezen in een andere pc. Met name de map "documents and settings" moet je kopiëren. De schijf kan als 2e schijf in een andere pc of je koopt een usb behuizing van 19 euro. Er zijn IDE versies en SATA versies.

Daarna pas format c , dat gaat stukken sneller dan duizend trojans verwijderden.

Poging gedaan met de Acer Laptop, maar om bij die Hardisk te komen is weer een hele andere vorm van geduld nodig..
Daar was geen tijd meer voor..

In elk geval draait de datarecory software weer normaal, dus ik doe ( vermoedelijk tegen beter weten in) nog 1 poging.

De meeste hardeschijven in laptops zitten met 1 schroef vast. Maar, succes!