Mededeling

Collapse
No announcement yet.

Ook de pisang-W32\Dloader.FBEE

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Ook de pisang-W32\Dloader.FBEE

    Hallo allemaal,

    Ik zou graag een beroep op jullie kennis doen want ik kom er niet uit.

    Sinds gisteren verschijnt zo om de minuut een melding van Norman:

    Norman Virus Control detected a trojan and moved it to the quarantine.

    Location: c:\proga~1\462093.exe
    Trojan: W32\Dloader.FBEE
    Na elke melding veranderd het nummer van de locatie.

    Gisteren een sweep gedaan met Norman en Spywareterminator en na een reboot kon er eindelijk een hardnekkig bestandje verwijderd worden (winrkp.dll)
    Nogmaals de scans uitgevoerd en nix meer te vinden, echter de trojan-melding was nog steeds aanwezig.

    Vandaag is er een nieuwe bij gekomen:

    Norman Virus Control detected a trojan and moved it to the quarantine.

    Location: c:\doumen~1\....\8123s9in\spools~1.exe
    Trojan: W32\Dloader.FICL
    Ook deze veranderd steeds plek, tevens kreeg ik na het openen van IE meerdere popups (888.com). Die wilden niet stoppen dus via taakbeheer alle openstaande vensters in 1X moeten sluiten.

    Daarna een scan met Spywareterminator uitgevoerd en leverde nix op, Spybot S&D wil niet uitvoeren of downloaden

    Hijackthis log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:14:00, on 18-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Norman\Npm\bin\ELOGSVC.EXE
    C:\Norman\Npm\Bin\Zanda.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CPUCooL\CooLSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Norman\Npm\bin\NJEEVES.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Norman\Npm\bin\ZLH.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\TEMP\win6C.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Janco\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Documents and Settings\Janco\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\462093.exe
    C:\Norman\Nvc\BIN\NIP.EXE
    C:\Norman\Nvc\bin\nvcoas.exe
    C:\Norman\Nvc\BIN\NVCSCHED.EXE
    C:\Norman\Nvc\bin\cclaw.exe
    C:\Norman\NVC\Bin\Nvcut.exe
    C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Norman\Nvc\BIN\nvcod.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60308
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60308
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60308
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60308
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60308
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win6C.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Janco\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Janco\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/system/upload/ImageUploader4.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

    --
    End of file - 9250 bytes
    020 - winrkp.dll is ook weer terug zag ik

    Ik word een beetje gek van al die meldingen en hoop dan ook van harte dat jullie me kunnen helpen. Alvast bedankt

  • #2
    Hallo,


    Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win6C.exe
    O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)


    Klik daarna op "Fix checked" en sluit HijackThis af.


    Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Plaats het op je bureaublad.
    Dubbelklik er op om het programma te starten.
    In het scherm dat verschijnt tik je een 1 in om het cleaning- en analysesproces te laten uitvoeren.
    Volg de instructies op het scherm.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

    Comment


    • #3
      Hoi Marckie,

      Bedankt voor je hulp
      Na het uitvoeren van je instructies en het wegklikken enkele meldingen blijft het tot nu toe stil...

      Combofix-log:

      ComboFix 08-01-20.1 - Janco 2008-01-19 22:51:00.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1348 [GMT 1:00]
      Gestart vanuit: C:\Documents and Settings\Janco\Bureaublad\ComboFix.exe
      * Nieuw herstelpunt werd aangemaakt

      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
      .

      (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      C:\WINDOWS\system32\drivers\OLD9.tmp

      .
      (((((((((((((((((((( Bestanden Gemaakt van 2007-12-20 to 2008-01-20 ))))))))))))))))))))))))))))))
      .

      2008-01-19 22:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
      2008-01-17 22:37 . 2008-01-17 22:37 <DIR> d-------- C:\Program Files\Lavasoft
      2008-01-17 22:37 . 2008-01-17 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
      2008-01-17 22:36 . 2008-01-17 22:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
      2008-01-17 21:38 . 2008-01-17 21:38 <DIR> d-------- C:\Program Files\Trend Micro
      2008-01-17 19:57 . 2008-01-17 19:57 100 --a------ C:\WINDOWS\wininit.ini
      2007-12-23 19:25 . 2007-12-23 19:25 <DIR> d-------- C:\Documents and Settings\Janco\Application Data\Ahead
      2007-12-20 19:52 . 2007-12-20 19:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\PC Suite

      .
      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-01-18 21:49 --------- d-----w C:\Program Files\Spyware Terminator
      2008-01-18 21:49 --------- d-----w C:\Documents and Settings\Janco\Application Data\Spyware Terminator
      2008-01-18 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
      2008-01-16 19:10 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
      2008-01-16 19:09 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
      2007-12-30 15:35 --------- d-----w C:\Program Files\Prime95
      2007-12-29 20:48 --------- d-----w C:\Program Files\SpeedFan
      2007-12-15 16:39 --------- d-----w C:\Program Files\SystemRequirementsLab
      2007-12-15 13:39 --------- d-----w C:\Program Files\Electronic Arts
      2007-12-14 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
      2007-12-14 19:00 --------- d-----w C:\Program Files\Common Files\Logitech
      2007-12-14 19:00 --------- d-----w C:\Program Files\Common Files\Logishrd
      2007-12-14 18:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
      2007-12-14 18:59 --------- d-----w C:\Documents and Settings\Janco\Application Data\InstallShield
      2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
      2007-12-04 20:08 --------- d-----w C:\Program Files\Windows Media Connect 2
      2007-11-28 17:38 --------- d-----w C:\Program Files\Activision
      2007-11-23 19:14 --------- d-----w C:\Program Files\Java
      2007-11-15 09:07 76,304 ----a-w C:\WINDOWS\system32\KemXML.dll
      2007-11-15 09:07 170,512 ----a-w C:\WINDOWS\system32\kemutb.dll
      2007-11-15 09:07 141,840 ----a-w C:\WINDOWS\system32\KemUtil.dll
      2007-11-15 09:07 117,264 ----a-w C:\WINDOWS\system32\KemWnd.dll
      2007-11-15 09:06 301,656 ----a-w C:\WINDOWS\system32\BtCoreIf.dll
      2007-11-07 09:30 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
      2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
      2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
      2007-10-01 18:28 22,328 ----a-w C:\Documents and Settings\Janco\Application Data\PnkBstrK.sys
      2007-03-27 17:57 21,488 ----a-w C:\Documents and Settings\Janco\Application Data\GDIPFONTCACHEV1.DAT
      2006-07-28 17:21 1 ----a-w C:\Documents and Settings\Janco\SI.bin
      2001-11-23 18:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
      .

      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
      "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
      "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32 81920]
      "Google Update"="C:\Documents and Settings\Janco\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe" [2008-01-13 13:31 21488]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:03 110592 C:\WINDOWS\system32\bthprops.cpl]
      "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-07 15:42 139264]
      "Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40 183352]
      "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
      "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
      "Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2005-12-20 14:34 32768]
      "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
      "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
      "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-25 17:46 282624]
      "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
      "P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
      "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-10-08 18:56 2778112]
      "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:03 15360]
      "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

      C:\Documents and Settings\Janco\Menu Start\Programma's\Opstarten\
      YouTube Uploader.lnk - C:\Documents and Settings\Janco\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

      C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
      Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
      Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-07-23 07:46:49 784912]
      Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
      c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
      @=""

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
      --a------ 2005-06-06 22:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
      --a------ 2006-03-20 20:43 331776 C:\Program Files\AGEIA Technologies\TrayIcon.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
      --a------ 2002-07-12 23:33 1581056 C:\WINDOWS\mixer.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
      --a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
      --a------ 2006-07-25 17:46 282624 C:\Program Files\QuickTime\qttask.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "CPUCooLServer"=2 (0x2)

      R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-10-25 04:35]
      R1 ntiowp;ntiowp;C:\WINDOWS\system32\drivers\ntiowp.sys [2005-01-03 17:04]
      R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-10-08 19:01]
      R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-29 23:53]
      R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]
      R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 13:55]
      R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-09-06 09:45]
      R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 11:45]
      R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]
      R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 19:36]
      S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25]
      S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25]
      S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25]
      S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25]
      S3 RTCore32;RTCore32;C:\Program Files\RMClock\RTCore32.sys

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{526a3683-199e-11db-b30a-806d6172696f}]
      \Shell\AutoRun\command - D:\install.exe

      *Newly Created Service* - PROCEXP90
      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-01-20 22:57:54
      Windows 5.1.2600 Service Pack 2 NTFS

      scannen van verborgen processen ...

      scannen van verborgen autostart items ...

      scannen van verborgen bestanden ...

      Scan succesvol afgerond
      verborgen bestanden: 0

      **************************************************************************
      .
      Voltooingstijd: 2008-01-20 22:59:00
      ComboFix-quarantined-files.txt 2008-01-20 21:58:25
      .
      2008-01-15 23:14:26 --- E O F ---
      HIjackthis-log:

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 23:00:43, on 20-1-2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Norman\Npm\bin\ELOGSVC.EXE
      C:\Norman\Npm\Bin\Zanda.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\CPUCooL\CooLSrv.exe
      C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
      C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\Program Files\Spyware Terminator\sp_rsser.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Canon\CAL\CALMAIN.exe
      C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
      C:\Norman\Nvc\BIN\NVCSCHED.EXE
      C:\Norman\Npm\bin\NJEEVES.EXE
      C:\Norman\Nvc\bin\nvcoas.exe
      C:\WINDOWS\System32\alg.exe
      C:\Program Files\Multimedia Card Reader\shwicon2k.exe
      C:\Norman\Npm\bin\ZLH.EXE
      C:\Norman\Nvc\BIN\NIP.EXE
      C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
      C:\Norman\Nvc\bin\cclaw.exe
      C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
      C:\Program Files\Ideazon\ZEngine\Zboard.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\Documents and Settings\Janco\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe
      C:\Program Files\Logitech\SetPoint\SetPoint.exe
      C:\Documents and Settings\Janco\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
      C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\explorer.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\WINDOWS\System32\wbem\wmiprvse.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60308
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60308
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
      O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
      O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
      O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
      O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
      O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
      O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
      O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Janco\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate.exe"
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
      O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Janco\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: Crawler Search - tbr:iemenu
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
      O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/system/upload/ImageUploader4.cab
      O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mijnalbum.nl/skin/system/upload/ImageUploader3.cab
      O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
      O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
      O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
      O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
      O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
      O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
      O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
      O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
      O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
      O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
      O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
      O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
      O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

      --
      End of file - 8459 bytes
      Wat doet deze trojan eigenlijk? Ik kan er niet zoveel over vinden.
      Moet ik me zorgen maken over passwords etc?

      Comment


      • #4
        Dit bestand kan je nog verwijderen:
        C:\WINDOWS\wininit.ini

        Wat deze allemaal doet weet ik niet, maar je paswoorden wijzigen lijkt me zeker een goede optie.

        Ga naar Start - Uitvoeren en tik in: ComboFix /u
        Druk op Enter.

        Voer een onlinescan uit met de ESET Online Scanner.
        Vink aan: YES, I accept the Terms Of Use.
        Klik op de knop Start.
        Klik daarna op de knop Install.
        Klik op Start.

        De scanner zal nu initialiseren en updaten.
        Vink Remove found threats NIET aan, tenzij dit gevraagd wordt.
        Klik op de knop Scan.

        Wacht geduldig af tot de scan voltooid is, dit kan een tijdje duren.
        Wanneer de scan klaar is, klik je op de tab Details.
        Kopiëer en plak de inhoud van dit venster in je volgende post.
        (Je vindt dit ook terug als C:\Program Files\EsetOnlineScanner\log.txt)

        Comment


        • #5
          Uhm, die online scanner werkt (bij mij) niet. Hij geeft een fout (Error: Update failed(108) ) Ligt dat aan mij of doettie het echt niet?

          Comment


          • #6
            Doe dit:

            Sluit alle open vensters van Internet Explorer.
            Ga naar het Configuratiescherm en dubbelklik op Internet-opties.
            Het venster "Eigenschappen voor Internet" voor internet zal openen.
            Ga naar het tabblad Algemeen.
            Klik op de knop Cookies verwijderen, en in het venster dat opent klik je op OK.
            Klik nu op de knop Bestanden verwijderen.
            In het venster dat opent vink je ook aan "Ook alle offline items verwijderen".
            Klik op de knop OK.

            Herstart Internet Explorer en probeer opnieuw.

            Comment


            • #7
              Oke, dat werkte idd. Scan gedaan:

              # version=4
              # OnlineScanner.ocx=1.0.0.56
              # OnlineScannerDLLA.dll=1, 0, 0, 51
              # OnlineScannerDLLW.dll=1, 0, 0, 51
              # OnlineScannerUninstaller.exe=1, 0, 0, 49
              # vers_standard_module=2811 (20080121)
              # vers_arch_module=1.063 (20080117)
              # vers_adv_heur_module=1.060 (20070601)
              # EOSSerial=6c8e9307cbc8cc498eafecda86ca954f
              # end=finished
              # remove_checked=false
              # unwanted_checked=false
              # utc_time=2008-01-22 10:24:23
              # local_time=2008-01-22 11:24:23 (+0100, West-Europa (standaardtijd))
              # country="Netherlands"
              # osver=5.1.2600 NT Service Pack 2
              # scanned=704509
              # found=0
              # scan_time=6474
              De uitkomst lijkt me goed, toch?

              Comment


              • #8
                Die is goed.
                Zijn er nog problemen momenteel?

                Comment


                • #9
                  Nee, geen meldingen meer.
                  Dit was eigenlijk de eerste keer in 10 jaar dat ik zo`n probleem had, tot nog toe lukte het me prima om die zooi buiten de deur te houden. Het is op z`n zachtst gezegd erg vervelend als je je eigen PC niet meer kan vertrouwen.


                  Heel erg bedankt voor je adviezen

                  Comment


                  • #10
                    Graag gedaan.

                    Ga naar Start - Uitvoeren en tik in: ComboFix /u
                    Druk op Enter.
                    Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.

                    De status van deze thread zet ik op opgelost.
                    Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk. Dit om het forum netjes en overzichtelijk te houden.
                    Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.

                    Happy surfing again.

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X