Hallo
Ik heb hier te maken met de twee volgende Trojans:
trojan.goldun en trojan.proxy.ranky
Bartmen
Hallo
Ik heb hier te maken met de twee volgende Trojans:
trojan.goldun en trojan.proxy.ranky
Bartmen
het gaat dus om twee paardjes die vrolijk rondhuppelen in mijn computer en op hun weg allerlei dingen vertrappelen!
Dit is mijn log:
Logfile of HijackThis v1.99.1
Scan saved at 14:29:51, on 27.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Wanadoo\taskbaricon.exe
C:\Program Files\Packard Bell EverSafe\TrayControl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\VDG\Mijn documenten\Elke\hijack logs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bi...e=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getjealous.com/getjealous...d&go=blondello
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\benl.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo België
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKCU\..\Run: [ÑÒFMÎN.EXE] C:\WINDOWS\ÑÒFMÎN.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\benl.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106w.bay106.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/syst...eUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
De problemen die ik ondervind:
- foutmeldingen
- niet op messenger kunnen
- niet op hotmail kunnen
Laatst gewijzigd door miss elfjen; 28 December 2006 om 11:14 Reden: naam eigenaar computer verwijderd
ik heb geprobeerd wat in een ander topic stond, namelijk als reactie op iemand die ook een msn-virus had.
Dit is mijn log na heel dat spellement van downloaden, scannen enzovoort:
VDG - 06-12-27 17:08:29,06 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\VDG\Bureaublad"
((((((((((((((((((((((((((((((( Files Created from 2006-11-27 to 2006-12-27 ))))))))))))))))))))))))))))))))))
2006-12-27 15:26 <DIR> d-------- C:\Documents and Settings\VDG\Application Data\Lavasoft
2006-12-27 15:25 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-27 15:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-27 15:11 26,157 --a------ C:\WINDOWS\serv.exe
2006-12-27 15:05 <DIR> d--hs---- C:\Config.Msi
2006-12-27 11:25 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-27 10:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-27 10:12 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-12-27 10:12 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-12-27 10:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2006-12-27 10:10 <DIR> d-------- C:\Documents and Settings\VDG\Application Data\PC Tools
2006-12-27 09:59 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-26 23:40 <DIR> d-------- C:\Documents and Settings\VDG\Application Data\AVG7
2006-12-26 23:39 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-26 23:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-26 23:39 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-26 23:39 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-26 23:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-12-26 23:39 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-26 23:39 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-26 23:39 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-26 23:38 <DIR> d-------- C:\Program Files\Grisoft
2006-12-26 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-26 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-26 23:21 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2006-12-26 23:20 <DIR> d-------- C:\Program Files\Hitman Pro
2006-12-18 22:10 52,493 --a------ C:\WINDOWS\system32\ysijtp.exe
2006-12-18 22:10 5,892 C:\WINDOWS\¥OFMIN.EXE
2006-12-18 22:10 30,791 --a------ C:\WINDOWS\userinit.exe
2006-12-18 21:23 <DIR> d-------- C:\Program Files\Soulseek
2006-12-14 22:23 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2006-12-14 22:23 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-12-14 22:23 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-12-14 22:23 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-12-14 22:23 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2006-12-14 22:23 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2006-12-14 22:23 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-12-14 22:23 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2006-12-08 18:29 <DIR> d---s---- C:\Documents and Settings\VDG\UserData
2006-12-08 18:25 <DIR> d-------- C:\Documents and Settings\VDG\Contacts
2006-12-08 18:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2006-12-27 17:01 -------- d-------- C:\Program Files\Packard Bell EverSafe
2006-12-27 17:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-27 17:01 -------- d-------- C:\Program Files\Common Files
2006-12-27 15:04 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-26 23:38 -------- d---s---- C:\Documents and Settings\VDG\Application Data\Microsoft
2006-12-26 19:43 -------- d-------- C:\Program Files\Norton Internet Security
2006-12-26 19:08 -------- d-------- C:\Program Files\Norton AntiVirus
2006-12-26 18:26 -------- d-------- C:\Program Files\Wanadoo
2006-12-18 22:10 5892 --a------ C:\WINDOWS\¥OFMIN.EXE
2006-12-17 20:06 -------- d-------- C:\Documents and Settings\VDG\Application Data\Skype
2006-12-09 07:47 -------- d-------- C:\Program Files\Symantec
2006-11-26 17:11 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-20 07:42 -------- d-------- C:\Program Files\SymNetDrv
2006-11-09 19:27 -------- d-------- C:\Program Files\Skype
2006-11-09 18:36 -------- d-------- C:\Documents and Settings\VDG\Application Data\MSN6
2006-10-30 18:58 -------- d-------- C:\Documents and Settings\VDG\Application Data\VanDale
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.ex e"
"userinit.exe"="C:\\WINDOWS\\userinit.exe"
"ÑÒFMÎN.EXE"="C:\\WINDOWS\\ÑÒFMÎN.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SiS Tray"="C:\\WINDOWS\\System32\\sistray.EXE"
"SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"WOOWATCH"="C:\\PROGRA~1\\Wanadoo\\watch.exe"
"WOOTASKBARICON"="C:\\PROGRA~1\\Wanadoo\\taskbaric on.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"NovaNet-WEB Tray Control"="C:\\Program Files\\Packard Bell EverSafe\\TrayControl.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus C44 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W3 2X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C44 Series\" /O6 \"USB001\" /M \"Stylus C44\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck. exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rege2usb
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HDReg.job
C:\WINDOWS\tasks\Herinnering voor registratie 1.job
C:\WINDOWS\tasks\Herinnering voor registratie 2.job
C:\WINDOWS\tasks\Herinnering voor registratie 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Mijn computer scannen.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-12-27 17:10:58.52
C:\ComboFix.txt ... 06-12-27 17:10
en hier is mijn hijack log
Logfile of HijackThis v1.99.1
Scan saved at 17:16:04, on 27.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Wanadoo\taskbaricon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Packard Bell EverSafe\TrayControl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\VDG\Mijn documenten\Elke\hijack logs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bi...e=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getjealous.com/getjealous...d&go=blondello
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\benl.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo België
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKCU\..\Run: [ÑÒFMÎN.EXE] C:\WINDOWS\ÑÒFMÎN.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1043\phdintl.dll/phdContext.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\benl.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106w.bay106.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/syst...eUploader4.cab
O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Please, kan iemand mij helpen.... ik wil zo graag opnieuw op hotmail en msn kunnen...
Laatst gewijzigd door miss elfjen; 28 December 2006 om 11:17 Reden: verwijderen naam eigenaar pc
* Download en installeer AVG Anti-Spyware.
- Na de installatie, open AVG Anti-Spyware:
* onder "Status", klik op Change state naast "Resident shield". (wijzig van active naar inactive!)
* onder "Update", klik op de Start update knop.
* onder "Scanner", tab "Settings":
- - onder "How to act?", klik op "Recommended actions" en selecteer Quarantine. (ZEER BELANGRIJK!)
* onder "Reports", selecteer Automatically generate report after every scan en verwijder het vinkje bij Only if threats were found
Sluit AVG Anti-Spyware. Laat het nog niet scannen.
* Als je Adaware SE nog niet geïnstalleerd hebt, download, installeer en update het dan volgens de richtlijnen
die je kan vinden op: http://users.pandora.be/marcvn/spyware/1414188.htm
Download link van Ad-aware: http://www.lavasoftusa.com/products/...e_personal.php
* Start je computer op in VEILIGE MODUS
* Voer een volledige scan uit met Adaware en verwijder alles wat gevonden wordt.
* Start AVG Anti-Spyware.
- * Klik op Scan en kies Complete System Scan.
Na de scan; volg onderstaande instructies :
BELANGRIJK : Klik niet op de "Save Scan Report" knop vooraleer je de "Apply all Actions" knop hebt aangeklikt !
* Draag er zorg voor dat Set all elements to: op Quarantine staat (1),
zoniet klik op de link en kies Quarantine in de popup menu. (2)
(Dit geldt niet voor cookies, deze worden onveranderlijk gedelete !)
* Onderaan het venster klik op de Apply all Actions knop. (3)
* Wanneer je de melding krijgt 'All actions have been applied', klik je onderaan op de knop Save Report.
* Herstart je computer in normale modus.
* Download ATF cleaner (by Atribune)
Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.
Gebruik je ook Firefox als browser:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit verwijdert het vinkje bij "Firefox saved passwords")
Klik op de knop Empty Selected.
Gebruik je ook Opera als browser:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.
* Post dan een nieuw hijackthis logje hier met het rapport van AVG antispyware.
Member of ASAP
ja maar dat heb ik net helemaal gedaan!
Ik had gezien dat je dit had aangeraden aan iemand die een msn-virus had, dus heb de hele procedure uitgevoerd.
De log staat er al (zie mijn laatste post)
MSN gede-installeerd? Ik zie ook geen logje van AVG antispyware.
Member of ASAP
msn heb ik gedeïnstalleerd (configuratiescherm software verwijderen),
dit is de log van AVG:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 16:59:07 27/12/2006
+ Scan result:
C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
::Report end
Het is nogal kort, maar ik had een foutje gemaakt in m'n veilige modus, ipv te scannen en zo met AVG, had ik 't met ad-Aware gedaan. Daarbij werden 33 bestanden in quarantaine gezet en dan verwijderd (handmatig gedaan).
Vervolgens heb ik ook nog eens gescand met AVG, waarvan je het rapport hierboven ziet.
Dit zijn de logs van Spyware, eentje 's ochtends (voor ik alles uitvoerde wat hierboven staat) en eentje van zonet (na dus het hele gedoe in veilige modus en zo)
Scanresultaten:
start scan:27.12.2006 12:21:20einde scan:27.12.2006 12:39:03
gescande items:16312
gevonden items:2
gevonden en genegeerd:0
gebruikte programma's:General Scanner, Process Scanner, Startup Scanner, Disk Scanner, ActiveX Scanner
Infectienaam:
Trojan.Proxy.Ranky C:\DIVTOOLS\UNZIP\UNZIPSFX.EXE
Trojan.Goldun C:\WINDOWS\SYSTEM32\regepsrvc.sys
Scanresultaten:
start scan:27.12.2006 17:37:04einde scan:27.12.2006 17:56:39
gescande items:72257
gevonden items:2
gevonden en genegeerd:0
gebruikte programma's:General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
Infectienaam:
Tracking Cookie(s) C:\Documents and Settings\VDG\Cookies\vdg@metriweb[1].txt
Trojan.Goldun C:\WINDOWS\serv.exe
Laatst gewijzigd door miss elfjen; 28 December 2006 om 11:17
Ik heb nog een vraagje: als ik bij AVG anti-spyware de update wil starten, krijg ik de melding dat hij geen connectie kan maken met internet.
Ik heb een LAN-verbinding, hoe stel ik dit in dat hij toch connectie kan maken...?
Download haxfix.exe.
Plaats het op je bureaublad.
Sluit alle andere programma's en sluit alle open vensters.
Dubbelklik op haxfix.exe om de installatie te starten.
Plaats een vinkje bij "Create a desktop icon".
Klik op "Next" en volg de instructies op het scherm.
Als de installatie klaar is zorg je dat er een vinkje staat bij "Launch HaxFix".
Klik op "Finish".
Er opent een rood doschermpje.
Kies voor Optie 1: Make logfile door op 1 te drukken.
Dit kan even duren. Wanneer HaxFix hiermee klaar is opent er een kladblokbestandje (haxlog.txt)
Post de inhoud van dat bestandje.
Member of ASAP
miss elfjen (29 December 2006)
HAXFIX logfile - by Marckie
version 4.32
28.12.2006 14:47:19,17
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
CmBatt
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
rege2usb
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
Momenteel bekijken 1 gebruikers deze discussie. (0 leden en 1 gasten)
Favorieten/bladwijzers