Vraag & Antwoord

Beveiliging & privacy

W32 virus. Virus scanner kan het niet verwijderen

Anoniem
Abraham54
35 antwoorden
  • Dus ik kom in het Guinies Book of Records?
    Zou wel mooi zijn!

    Hier de HJlog file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:06:55 PM, on 10/16/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\VTTimer.exe
    D:\WINDOWS\system32\VTtrayp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    D:\Program Files\Macrium\Reflect\ReflectService.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQxdm068YYMZ&ptb=_bJpvhFB96f3WfmP88v34A
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
    O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - D:\Program Files\Macrium\Reflect\ReflectService.exe


    End of file - 3249 bytes

    Ben benieuwd….
    MVG perloc
  • Hallo Perloc, wat betreft Guinnes, dat weet ik niet, nee heb je - ja kan je krijgen!

    Start HijackThis en kies voor [b:0f2739ebcd]Scan only[/b:0f2739ebcd], na een vinkje te hebben gezet voor de met de onderstaand corresponderende regels, klik je op de knop [b:0f2739ebcd]Fix checked[/b:0f2739ebcd]:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQxdm068YYMZ&ptb=_ bJpvhFB96f3WfmP88v34A
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

    Start na bovenstaande gedaan te hebben je PC opnieuw op en post wederom een aktueel HJT-log.
  • Opdracht uitgevoerd, 4 items verwijderd.
    Hier de log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:20:42 PM, on 10/16/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\VTTimer.exe
    D:\WINDOWS\system32\VTtrayp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    D:\Program Files\Macrium\Reflect\ReflectService.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
    O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - D:\Program Files\Macrium\Reflect\ReflectService.exe


    End of file - 2899 bytes

    Hopelijk nu goed?
    MVG perloc
  • Hallo perloc, na analyse van je laatse log, blijkt er nog iets aktief te zijn in jouw Windows, dat er niet hoort te zijn.
    Maar - dat ligt in de lijn van mijn verwachtingen!


    Ik raad je dan ook aan, dat je [b:35405f8fbf]Combofix jouw Windows laat scannen[/b:35405f8fbf] (KLIK).

    [b:35405f8fbf]Hoe Combofix goed te gebruiken[/b:35405f8fbf] (KLIK)
    Lees dat echt aandachtig - want Combofix is een specialistisch tool!

    [b:35405f8fbf]Aanvulling: om Combofix te kunnen gebruiken geldt het volgende:[/b:35405f8fbf]

    [b:35405f8fbf]- er mogen geen webbrowsers openstaan
    - antivirus moet geheel gedeaktiveerd zijn
    - actieve mal- en spywarescanners moeten gedeaktiveerd zijn.[/b:35405f8fbf]

    Niet in het actieve Combofixvnster klikken – dit zal Combofix doen bevriezen!

    Combofix sluit de internet verbinding – probeer deze tussentijds niet te herstellen!


    [b:35405f8fbf]Hier vindt je gegevens hoe antivirus te deaktiveren[/b:35405f8fbf] (KLIK)


    Post na de computer herstart het Combofixlog.
  • Ik hoop dat het goed is gegaan. Ik heb in de aanwijzingen over sluiten van de virusscanner F-prot niet kunnen vinden. Dus heb ik het zelf gedaan: er is een tab die zegt dat de virusscanner wordt gesloten. Maar hij bleek toch nog actief toen ik Combofix had opgestart. Het programma gaf geen moegelijkheid dat te herstellen. Tijdens scannen kwam F-prot met een melding over iets wat hij verdacht vond en heeft dat gedelete.
    Combofix heeft het hele circuit afgemaakt. Hier is de log:

    ComboFix 09-10-16.02 - Peter van Perlo 10/16/2009 22:09.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.680 [GMT 2:00]
    Running from: d:\documents and settings\Peter van Perlo\Desktop\ComboFix.exe
    AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}
    FW: Sunbelt Kerio Personal Firewall *disabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Installer\260de.msi
    c:\windows\Installer\32659.msi
    c:\windows\Installer\41383.msi
    c:\windows\Installer\67aa5.msi
    c:\windows\Installer\a0411.msi
    d:\documents and settings\Minda\Application Data\bcrypt.html
    d:\program files\AskSearch\bin\DefaultSearch.dll
    d:\recycler\S-1-5-21-1078081533-776561741-839522115-1003
    d:\recycler\S-1-5-21-3784788137-5050912846-299633884-1208

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ——-\Legacy_MYWEBSEARCHSERVICE
    ——-\Service_MyWebSearchService


    ((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
    .

    2009-10-16 20:04 . 2009-10-16 20:04 ——– d—–w- d:\windows\system32\LogFiles
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Malwarebytes
    2009-10-16 16:28 . 2009-09-10 12:54 38224 —-a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\program files\Malwarebytes' Anti-Malware
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2009-10-16 16:28 . 2009-09-10 12:53 19160 —-a-w- d:\windows\system32\drivers\mbam.sys
    2009-10-16 12:15 . 2009-10-16 12:15 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\BigFishGamesCache
    2009-10-16 12:14 . 2009-10-16 12:14 ——– d–h–w- d:\program files\Zero G Registry
    2009-10-16 12:14 . 2009-10-16 12:14 ——– d–h–w- d:\documents and settings\Peter van Perlo\InstallAnywhere
    2009-10-16 12:08 . 2009-10-16 12:08 ——– d—–w- d:\program files\Microsoft Games
    2009-10-12 16:44 . 2009-10-12 16:47 ——– d—–w- d:\program files\MediaMonkey
    2009-10-12 16:25 . 2009-10-12 16:25 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    2009-10-12 04:43 . 2009-10-12 04:43 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\FRISK Software
    2009-10-11 15:48 . 2009-08-27 14:25 682840 —-a-w- d:\windows\system32\drivers\FStopW.sys
    2009-10-11 15:48 . 2009-10-11 15:48 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\FRISK Software
    2009-10-11 15:48 . 2009-10-11 15:48 ——– d—–w- d:\program files\FRISK Software
    2009-10-10 17:55 . 2009-10-10 17:55 17536 —-a-w- d:\documents and settings\Peter van Perlo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-10 05:50 . 2009-10-10 05:50 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Sonic
    2009-10-10 05:50 . 2009-10-10 05:50 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Leadertech
    2009-10-10 05:48 . 2009-10-10 05:48 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
    2009-10-10 04:35 . 2004-10-27 06:49 73728 —-a-w- d:\windows\SOUNDMAN.EXE
    2009-10-10 04:35 . 2004-02-25 10:00 40448 ——w- d:\windows\system32\ChCfg.exe
    2009-10-10 04:35 . 2004-10-27 05:17 9179648 —-a-w- d:\windows\system32\RTLCPL.EXE
    2009-10-10 04:35 . 2004-09-10 02:12 208896 ——w- d:\windows\alcupd.exe
    2009-10-10 04:35 . 2004-09-01 12:04 139264 ——w- d:\windows\alcrmv.exe
    2009-10-10 04:28 . 2003-07-01 20:42 27904 —-a-r- d:\windows\system32\drivers\VIAAGP1.SYS
    2009-10-10 04:12 . 2009-10-10 04:13 ——– d—–w- d:\program files\Woody Woodpecker
    2009-10-10 04:09 . 2004-06-14 14:52 306688 —-a-w- d:\windows\IsUninst.exe
    2009-10-10 03:42 . 2009-10-10 03:42 ——– d—–w- d:\program files\Ubisoft
    2009-10-09 16:51 . 2009-10-09 16:51 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\AVG8
    2009-10-09 16:36 . 2009-10-09 16:36 ——– d—–w- d:\program files\Clam
    2009-10-09 12:21 . 2009-10-09 12:21 ——– d–h–w- d:\windows\PIF
    2009-10-09 05:39 . 2009-10-09 05:39 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\Macrium
    2009-10-09 05:37 . 2004-08-03 21:08 26496 -c–a-w- d:\windows\system32\dllcache\usbstor.sys
    2009-10-06 14:29 . 2009-10-06 14:29 ——– d-s—w- d:\documents and settings\Peter van Perlo\UserData
    2009-10-06 14:15 . 2001-08-17 10:50 320384 -c–a-w- d:\windows\system32\dllcache\mgaum.sys
    2009-10-06 14:15 . 2001-08-17 10:50 320384 —-a-w- d:\windows\system32\drivers\mgaum.sys
    2009-10-06 14:15 . 2001-08-17 12:56 235648 -c–a-w- d:\windows\system32\dllcache\mgaud.dll
    2009-10-06 14:15 . 2001-08-17 12:56 235648 —-a-w- d:\windows\system32\mgaud.dll
    2009-10-06 11:21 . 2005-05-26 13:34 2297552 —-a-w- d:\windows\system32\d3dx9_26.dll
    2009-10-06 11:21 . 2009-10-06 11:21 ——– d—–w- d:\windows\Logs
    2009-10-06 10:57 . 2009-10-06 10:57 ——– d-sh–w- d:\documents and settings\LocalService.NT AUTHORITY
    2009-10-06 10:57 . 2009-10-06 10:57 ——– d—–w- d:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
    2009-10-06 10:20 . 2009-10-06 10:20 ——– d—–w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft
    2009-10-06 10:20 . 2009-10-06 10:20 ——– d-sh–w- d:\documents and settings\NetworkService.NT AUTHORITY
    2009-10-06 10:17 . 2004-08-04 12:00 221696 -c–a-w- d:\windows\system32\dllcache\seo.dll
    2009-10-06 10:16 . 2004-08-04 12:00 10129408 -c–a-w- d:\windows\system32\dllcache\hwxkor.dll
    2009-10-06 10:15 . 2004-08-04 12:00 68608 -c–a-w- d:\windows\system32\dllcache\isatq.dll
    2009-10-06 10:13 . 2009-10-06 10:15 ——– d-sh–w- d:\documents and settings\All Users.WINDOWS\DRM
    2009-10-06 10:11 . 2009-10-06 10:11 21640 —-a-w- d:\windows\system32\emptyregdb.dat
    2009-10-06 10:09 . 2004-08-03 23:01 40840 —-a-w- d:\windows\system32\drivers\termdd.sys
    2009-10-06 10:09 . 2004-08-03 21:01 196864 —-a-w- d:\windows\system32\drivers\rdpdr.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-10-12 09:16 . 2009-10-12 09:16 2449 —-a-w- d:\program files\wap
    2009-10-10 05:47 . 2009-07-08 05:43 ——– d—–w- d:\program files\Common Files\SureThing Shared
    2009-10-10 04:36 . 2009-07-07 09:51 ——– d—–w- d:\program files\AvRack
    2009-10-10 03:56 . 2009-10-06 11:22 1324 —-a-w- d:\windows\system32\d3d9caps.dat
    2009-10-10 03:42 . 2009-07-07 09:51 ——– d–h–w- d:\program files\InstallShield Installation Information
    2009-09-02 08:03 . 2009-09-02 08:03 ——– d—–w- d:\program files\Trend Micro
    2009-08-27 04:14 . 2009-07-20 12:17 ——– d—–w- d:\program files\Google
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "F-PROT Antivirus Tray application"="d:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 1597832]
    "Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "VTTimer"="VTTimer.exe" - d:\windows\system32\VTTimer.exe [2004-05-27 49152]
    "VTTrayp"="VTtrayp.exe" - d:\windows\system32\VTTrayp.exe [2004-06-07 143360]
    "SoundMan"="SOUNDMAN.EXE" - d:\windows\SOUNDMAN.EXE [2004-10-27 73728]

    d:\documents and settings\Minda\Start Menu\Programs\Startup\
    Shortcut to TCLOCKEX.EXE.lnk - e:\utilities\TCLOCK\TCLOCKEX.EXE [2009-8-10 89088]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"=
    "d:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=

    R0 FPAV_RTP;FPAV_RTP;d:\windows\system32\drivers\FStopW.sys [10/11/2009 5:48 PM 682840]
    R0 pssnap;Paramount Software Snapshot Filter;d:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
    R1 fwdrv;Firewall Driver;d:\windows\system32\drivers\fwdrv.sys [7/18/2006 12:02 PM 284184]
    R1 khips;Kerio HIPS Driver;d:\windows\system32\drivers\khips.sys [7/18/2006 12:02 PM 91672]
    R2 FPAVServer;F-PROT Antivirus for Windows system;d:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424]
    R2 ReflectService;Macrium Reflect Image Mounting Service;d:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
    S3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [10/6/2009 4:15 PM 320384]
    .
    .
    ——- Supplementary Scan ——-
    .
    IE: &Search
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-16 22:22
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ——————— LOCKED REGISTRY KEYS ———————

    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    ———————— Other Running Processes ————————
    .
    d:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    d:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    d:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    .
    **************************************************************************
    .
    Completion time: 2009-10-16 22:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-10-16 20:26

    Pre-Run: 2,355,400,704 bytes free
    Post-Run: 3,120,136,192 bytes free

    151



    Dat was ut. Ik ga nu naar bed. Morgen verder wat mij betreft.
    MVG perloc
  • Hallo peroc, doordat je de antivirus dus niet hebt kunnen deaktiveren, heeft diezelfde antivirus Combofix tijdens de scan beschadigd!
    Daardoor is het log nu in feite waardeloos!

    Het is uitermate belangrijk, dat je antivirus is gedeaktiveerd.

    Welke meldingen krijg je, indien je het F-Prot icoon in de systray met rechts aanklikt?

    Als je daar nu wel de mogelijkheid vind, F-Prot te deaktiveren, gooi dan Cobofix in de prullenbak en download Combofix opnieuw en voor nogmaals de scan uit!
  • Om er zeker van te zijn dat F-prot niet in de weg zit heb ik die ge-delete.
    Nadat Combofix klaar was heb ik F-prot weer geinstalleerd. Die staat nu op automatisch update DEF files.
    De eerste keer heeft Combofix 7 files en 2 register entries ge-delete.
    Deze keer heeft ie niets meer ge-delete.
    Je zult nogal wat spelletje tegenkomen: deze computer is van mijn zoon 10jaar

    Hier volgt de log file van Combofix:

    ComboFix 09-10-16.02 - Peter van Perlo 10/17/2009 5:44.2.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.991.785 [GMT 2:00]
    Running from: d:\documents and settings\Peter van Perlo\Desktop\ComboFix.exe
    FW: Sunbelt Kerio Personal Firewall *disabled* {E659E0EE-10E6-49B7-8696-60F38D0EB174}
    .

    ((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
    .

    2009-10-16 20:04 . 2009-10-16 20:04 ——– d—–w- d:\windows\system32\LogFiles
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Malwarebytes
    2009-10-16 16:28 . 2009-09-10 12:54 38224 —-a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\program files\Malwarebytes' Anti-Malware
    2009-10-16 16:28 . 2009-10-16 16:28 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2009-10-16 16:28 . 2009-09-10 12:53 19160 —-a-w- d:\windows\system32\drivers\mbam.sys
    2009-10-16 12:15 . 2009-10-16 12:15 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\BigFishGamesCache
    2009-10-16 12:14 . 2009-10-16 12:14 ——– d–h–w- d:\program files\Zero G Registry
    2009-10-16 12:14 . 2009-10-16 12:14 ——– d–h–w- d:\documents and settings\Peter van Perlo\InstallAnywhere
    2009-10-16 12:08 . 2009-10-16 12:08 ——– d—–w- d:\program files\Microsoft Games
    2009-10-12 16:44 . 2009-10-12 16:47 ——– d—–w- d:\program files\MediaMonkey
    2009-10-12 16:25 . 2009-10-12 16:25 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    2009-10-12 04:43 . 2009-10-12 04:43 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\FRISK Software
    2009-10-11 15:48 . 2009-10-11 15:48 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\FRISK Software
    2009-10-10 17:55 . 2009-10-10 17:55 17536 —-a-w- d:\documents and settings\Peter van Perlo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-10 05:50 . 2009-10-10 05:50 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Sonic
    2009-10-10 05:50 . 2009-10-10 05:50 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\Leadertech
    2009-10-10 05:48 . 2009-10-10 05:48 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
    2009-10-10 04:35 . 2004-10-27 06:49 73728 —-a-w- d:\windows\SOUNDMAN.EXE
    2009-10-10 04:35 . 2004-02-25 10:00 40448 ——w- d:\windows\system32\ChCfg.exe
    2009-10-10 04:35 . 2004-10-27 05:17 9179648 —-a-w- d:\windows\system32\RTLCPL.EXE
    2009-10-10 04:35 . 2004-09-10 02:12 208896 ——w- d:\windows\alcupd.exe
    2009-10-10 04:35 . 2004-09-01 12:04 139264 ——w- d:\windows\alcrmv.exe
    2009-10-10 04:28 . 2003-07-01 20:42 27904 —-a-r- d:\windows\system32\drivers\VIAAGP1.SYS
    2009-10-10 04:12 . 2009-10-10 04:13 ——– d—–w- d:\program files\Woody Woodpecker
    2009-10-10 04:09 . 2004-06-14 14:52 306688 —-a-w- d:\windows\IsUninst.exe
    2009-10-10 03:42 . 2009-10-10 03:42 ——– d—–w- d:\program files\Ubisoft
    2009-10-09 16:51 . 2009-10-09 16:51 ——– d—–w- d:\documents and settings\Peter van Perlo\Application Data\AVG8
    2009-10-09 16:36 . 2009-10-09 16:36 ——– d—–w- d:\program files\Clam
    2009-10-09 12:21 . 2009-10-09 12:21 ——– d–h–w- d:\windows\PIF
    2009-10-09 05:39 . 2009-10-09 05:39 ——– d—–w- d:\documents and settings\All Users.WINDOWS\Application Data\Macrium
    2009-10-09 05:37 . 2004-08-03 21:08 26496 -c–a-w- d:\windows\system32\dllcache\usbstor.sys
    2009-10-06 14:29 . 2009-10-06 14:29 ——– d-s—w- d:\documents and settings\Peter van Perlo\UserData
    2009-10-06 14:15 . 2001-08-17 10:50 320384 -c–a-w- d:\windows\system32\dllcache\mgaum.sys
    2009-10-06 14:15 . 2001-08-17 10:50 320384 —-a-w- d:\windows\system32\drivers\mgaum.sys
    2009-10-06 14:15 . 2001-08-17 12:56 235648 -c–a-w- d:\windows\system32\dllcache\mgaud.dll
    2009-10-06 14:15 . 2001-08-17 12:56 235648 —-a-w- d:\windows\system32\mgaud.dll
    2009-10-06 11:21 . 2005-05-26 13:34 2297552 —-a-w- d:\windows\system32\d3dx9_26.dll
    2009-10-06 11:21 . 2009-10-06 11:21 ——– d—–w- d:\windows\Logs
    2009-10-06 10:57 . 2009-10-06 10:57 ——– d-sh–w- d:\documents and settings\LocalService.NT AUTHORITY
    2009-10-06 10:57 . 2009-10-06 10:57 ——– d—–w- d:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
    2009-10-06 10:20 . 2009-10-06 10:20 ——– d—–w- d:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft
    2009-10-06 10:20 . 2009-10-06 10:20 ——– d-sh–w- d:\documents and settings\NetworkService.NT AUTHORITY
    2009-10-06 10:17 . 2004-08-04 12:00 221696 -c–a-w- d:\windows\system32\dllcache\seo.dll
    2009-10-06 10:16 . 2004-08-04 12:00 10129408 -c–a-w- d:\windows\system32\dllcache\hwxkor.dll
    2009-10-06 10:15 . 2004-08-04 12:00 68608 -c–a-w- d:\windows\system32\dllcache\isatq.dll
    2009-10-06 10:13 . 2009-10-06 10:15 ——– d-sh–w- d:\documents and settings\All Users.WINDOWS\DRM
    2009-10-06 10:11 . 2009-10-06 10:11 21640 —-a-w- d:\windows\system32\emptyregdb.dat
    2009-10-06 10:09 . 2004-08-03 23:01 40840 —-a-w- d:\windows\system32\drivers\termdd.sys
    2009-10-06 10:09 . 2004-08-03 21:01 196864 —-a-w- d:\windows\system32\drivers\rdpdr.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-10-12 09:16 . 2009-10-12 09:16 2449 —-a-w- d:\program files\wap
    2009-10-10 05:47 . 2009-07-08 05:43 ——– d—–w- d:\program files\Common Files\SureThing Shared
    2009-10-10 04:36 . 2009-07-07 09:51 ——– d—–w- d:\program files\AvRack
    2009-10-10 03:56 . 2009-10-06 11:22 1324 —-a-w- d:\windows\system32\d3d9caps.dat
    2009-10-10 03:42 . 2009-07-07 09:51 ——– d–h–w- d:\program files\InstallShield Installation Information
    2009-09-02 08:03 . 2009-09-02 08:03 ——– d—–w- d:\program files\Trend Micro
    2009-08-27 04:14 . 2009-07-20 12:17 ——– d—–w- d:\program files\Google
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
    "VTTimer"="VTTimer.exe" - d:\windows\system32\VTTimer.exe [2004-05-27 49152]
    "VTTrayp"="VTtrayp.exe" - d:\windows\system32\VTTrayp.exe [2004-06-07 143360]
    "SoundMan"="SOUNDMAN.EXE" - d:\windows\SOUNDMAN.EXE [2004-10-27 73728]

    d:\documents and settings\Minda\Start Menu\Programs\Startup\
    Shortcut to TCLOCKEX.EXE.lnk - e:\utilities\TCLOCK\TCLOCKEX.EXE [2009-8-10 89088]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Program Files\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"=
    "d:\\Program Files\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=

    R0 pssnap;Paramount Software Snapshot Filter;d:\windows\system32\drivers\pssnap.sys [5/20/2008 8:32 AM 15328]
    R1 fwdrv;Firewall Driver;d:\windows\system32\drivers\fwdrv.sys [7/18/2006 12:02 PM 284184]
    R1 khips;Kerio HIPS Driver;d:\windows\system32\drivers\khips.sys [7/18/2006 12:02 PM 91672]
    R2 ReflectService;Macrium Reflect Image Mounting Service;d:\program files\Macrium\Reflect\ReflectService.exe [8/6/2008 11:34 AM 216032]
    R4 FPAV_RTP;FPAV_RTP;d:\windows\system32\DRIVERS\FStopW.sys –> d:\windows\system32\DRIVERS\FStopW.sys [?]
    S3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [10/6/2009 4:15 PM 320384]
    .
    .
    ——- Supplementary Scan ——-
    .
    IE: &Search
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-10-17 05:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ——————— LOCKED REGISTRY KEYS ———————

    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    Completion time: 2009-10-17 5:53
    ComboFix-quarantined-files.txt 2009-10-17 03:53
    ComboFix2.txt 2009-10-16 20:27

    Pre-Run: 3,185,623,040 bytes free
    Post-Run: 3,160,526,848 bytes free

    120

    Ik wacht af….
    MVG perloc
  • Hallo perloc, je schrijft "Deze keer heeft ie niets meer ge-delete.".

    Dat heb je mis hoor; hij heeft nu ook de malwaredrivers
    ——-\Legacy_MYWEBSEARCHSERVICE en
    ——-\Service_MyWebSearchService

    geheel verwijderd - en dat is heel goed nieuws!

    Het laatste log laat verder ook geen bijzonderheden meer zien.
    En dat is dus absoluut een heel goed teken.

    Start MBAM opnieuw, eerst updaten en dan weer een snelle scan gebruiken.


    [b:3b46311581]Hierna een nieuw Hijack This Log aanmaken en het resultaat daarvan samen met het scanresultaat van MBAM posten;
    tevens een
  • Ik weet niet wat MS rekent voor het verzenden van SP3 op CD, maar het is ook te downloaden (306 Mb) en op een CD te branden.
    Daarna kan het dan naar jou worden opgestuurd…..
  • Peter Vooges: bedankt voor het aanbod maar ik heb van iemand anders al een aanbod geaccepteerd.
    MVG perloc
  • Abraham54: hier komen de 3 logs.
    Ik zal ze met een ************* voor het gemak scheiden.

    Malwarebytes' Anti-Malware 1.41
    Database version: 2975
    Windows 5.1.2600 Service Pack 2

    10/17/2009 5:14:23 PM
    mbam-log-2009-10-17 (17-14-23).txt

    Scan type: Quick Scan
    Objects scanned: 125431
    Time elapsed: 3 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    *********************************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:59:40 PM, on 10/17/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\VTTimer.exe
    D:\WINDOWS\system32\VTtrayp.exe
    D:\WINDOWS\SOUNDMAN.EXE
    D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    D:\Program Files\Macrium\Reflect\ReflectService.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - D:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
    O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - D:\Program Files\Macrium\Reflect\ReflectService.exe


    End of file - 2952 bytes
    ******************************
    Adobe Flash Player 10 ActiveX
    F-PROT Antivirus for Windows
    HijackThis 2.0.2
    Macrium Reflect - Free Edition
    Malwarebytes' Anti-Malware
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Need For Speed poursuite infernale 2
    Prince of Persia
    Realtek AC'97 Audio
    S3 S3Chromo
    S3 S3Config3D
    S3 S3Display
    S3 S3Gamma2
    S3 S3Info2
    S3 S3Overlay
    S3 S3RefreshLock
    S3 S3TrayPlus
    Sonic RecordNow! Deluxe
    Sonic Update Manager
    Sunbelt Kerio Personal Firewall
    UniChrome Pro IGP Display Driver and Utilities
    Woody Woodpecker
    ***********************

    Dat zijn ze.
    Hoe is de stand?
    Sorry dat ik je zoveel werk heb bezorgd.
    MVG perloc
  • Hallo perloc, ik kan niet anders stellen, dan dat het log er nu mooi uitziet.
    Zo te zien is de malheur helemaal achter de rug en was het dus geen virut, wat ik eerst bevroedde!

    Blijf MBAM gebruiken - 1x per week en dan altijd eerst controleren op updates!
  • [quote:16eaac6764="perloc"]Peter Vooges: bedankt voor het aanbod maar ik heb van iemand anders al een aanbod geaccepteerd.
    MVG perloc[/quote:16eaac6764]

    Helemaal goed.
  • Abraham54: je zegt dat het geen virus was maar je vertelt niet wat het dan wel was. Zou je dat nog heel even willen toelichten?
    MVG perloc
  • [quote:d0c8fb5401="Abraham54"]Zo te zien is de malheur helemaal achter de rug en was het dus geen virut, wat ik eerst bevroedde![/quote:d0c8fb5401] Gewoon even uit nieuwsgierigheid : waar zag je een aanwijzing voor die Virut-infectie ?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.