Mededeling

Collapse
No announcement yet.

SHeur - verder opschonen computer

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • SHeur - verder opschonen computer

    Dag Marckie,

    Ik heb eerst je laatste opdracht in het vorige topic uitgevoerd:

    Ga naar Start - uitvoeren en tik in: sc delete uzlbymsa
    Druk op OK.
    Daarna heb ik ComboFix en HijackThis laten lopen. Hierbij de logjes:

    ----------------------------------------------------------------

    ComboFix 08-01-20.1 - HP_Eigenaar 2008-01-21 19:28:49.7 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.238 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Bureaublad\ComboFix.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-21 to 2008-01-21 ))))))))))))))))))))))))))))))
    .

    2008-01-21 03:14 . 2008-01-21 18:12 <DIR> dr-h----- C:\Documents and Settings\HP_Eigenaar\Onlangs geopend
    2008-01-21 03:13 . 2008-01-21 03:13 <DIR> d-------- C:\Program Files\CCleaner
    2008-01-21 02:10 . 2008-01-21 02:10 <DIR> d-------- C:\Program Files\Lavasoft
    2008-01-21 02:10 . 2008-01-21 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-21 02:09 . 2008-01-21 02:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-21 00:33 . 2008-01-21 00:33 <DIR> d-------- C:\Documents and Settings\HP_Eigenaar\Application Data\Grisoft
    2008-01-21 00:33 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-01-20 22:31 . 2008-01-20 16:35 360,064 --a------ C:\WINDOWS\system32\tcpip.sys
    2008-01-15 00:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-13 17:37 . 2008-01-13 17:37 <DIR> d-------- C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-21 11:55 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
    2008-01-21 02:08 --------- d-----w C:\Program Files\Soulseek
    2008-01-21 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
    2008-01-20 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-01-20 15:35 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-01-14 17:38 --------- d-----w C:\Program Files\eMule
    2008-01-11 03:16 --------- d-----w C:\Program Files\Soulseek-Test
    2008-01-10 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-12-11 12:12 --------- d-----w C:\Documents and Settings\HP_Eigenaar\Application Data\Winamp
    2007-12-11 12:11 --------- d-----w C:\Program Files\Winamp
    2007-11-07 09:30 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_13.56.58.07 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-16 12:46:30 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-21 18:22:04 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-16 12:46:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-21 18:22:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-16 12:46:30 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-21 18:22:04 1,224,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-16 12:46:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-21 18:22:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-16 12:46:30 10,027,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    + 2008-01-21 18:22:05 10,047,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    - 2008-01-16 12:46:30 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-21 18:22:05 155,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-21 01:10:30 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
    + 2008-01-21 01:10:30 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
    + 2008-01-21 01:10:30 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
    + 2008-01-21 01:10:30 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
    - 2008-01-13 04:08:51 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
    + 2008-01-20 15:35:56 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
    - 2007-10-26 11:39:18 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
    + 2008-01-20 22:49:34 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
    - 2007-12-06 00:16:41 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
    + 2008-01-20 23:39:20 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
    - 2007-08-26 09:39:07 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
    + 2008-01-20 22:49:39 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
    - 2007-12-21 08:07:51 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
    + 2008-01-20 23:39:22 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
    - 2007-12-21 08:07:38 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
    + 2008-01-20 23:39:21 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
    - 2007-12-06 00:16:43 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
    + 2008-01-20 23:39:21 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
    + 2007-07-11 12:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
    + 2007-08-07 11:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    + 2007-08-07 11:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-03 18:43 118784]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
    "VTTimer"="VTTimer.exe"
    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-21 00:39 579072]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 00:39 219136]


    .
    Inhoud van de 'Gedeelde Taken' map
    "2008-01-19 07:11:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 19:30:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen ...

    scannen van verborgen autostart items ...

    scannen van verborgen bestanden ...

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-21 19:31:45
    ComboFix-quarantined-files.txt 2008-01-21 18:31:16
    ComboFix2.txt 2008-01-19 18:52:32
    ComboFix3.txt 2008-01-16 02:38:17
    .
    2008-01-13 05:13:28 --- E O F ---

    --------------------------------------------------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:32:52, on 21-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\HP_Eigenaar\Mijn documenten\PC technisch\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q404&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - https://secure.ingbank.nl/download/DigiSign.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 5991 bytes

  • #2
    Ziet er goed uit.

    Voer een onlinescan uit met de ESET Online Scanner.
    Vink aan: YES, I accept the Terms Of Use.
    Klik op de knop Start.
    Klik daarna op de knop Install.
    Klik op Start.

    De scanner zal nu initialiseren en updaten.
    Vink Remove found threats NIET aan, tenzij dit gevraagd wordt.
    Klik op de knop Scan.

    Wacht geduldig af tot de scan voltooid is, dit kan een tijdje duren.
    Wanneer de scan klaar is, klik je op de tab Details.
    Kopiëer en plak de inhoud van dit venster in je volgende post.
    (Je vindt dit ook terug als C:\Program Files\EsetOnlineScanner\log.txt)

    Comment


    • #3
      Hoi Marckie,

      Hierbij het ESET-log:
      -----------------------------------
      # version=4
      # OnlineScanner.ocx=1.0.0.56
      # OnlineScannerDLLA.dll=1, 0, 0, 51
      # OnlineScannerDLLW.dll=1, 0, 0, 51
      # OnlineScannerUninstaller.exe=1, 0, 0, 49
      # vers_standard_module=2811 (20080121)
      # vers_arch_module=1.063 (20080117)
      # vers_adv_heur_module=1.060 (20070601)
      # EOSSerial=d3f8bf1a6c99094dbea61c5248258515
      # end=finished
      # remove_checked=false
      # unwanted_checked=false
      # utc_time=2008-01-21 07:55:00
      # local_time=2008-01-21 08:55:00 (+0100, West-Europa (standaardtijd))
      # country="Netherlands"
      # osver=5.1.2600 NT Service Pack 2
      # scanned=346010
      # found=2
      # scan_time=2382
      C:\QooBox\Quarantine\catchme2008-01-16_150905.21.zip Win32/Agent.NOU trojan A1D15A20C45E3471AAFCA4839127E7FF
      C:\QooBox\Quarantine\catchme2008-01-16_150905.21.zip »ZIP »ktqxvwbc.dat Win32/Agent.NOU trojan 00000000000000000000000000000000

      Comment


      • #4
        Dag Xander,

        Er is niet veel meer gevonden tijdens de online-scan.

        Heb je nog problemen met de computer?

        Comment


        • #5
          Nou, voor zover ik het kan beoordelen niet... Zou dat betekenen dat alles weer in orde is..?

          Comment


          • #6
            Het lijkt er wel op Xander.

            Ga naar Start - Uitvoeren en tik in: ComboFix /u
            Druk op Enter.

            Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.

            De status van deze thread zet ik op opgelost.
            Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk. Dit om het forum netjes en overzichtelijk te houden.
            Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.

            Happy surfing again.

            Comment


            • #7
              Nou, geweldig! Nogmaals hartelijk bedankt voor alle hulp!!

              Groeten,
              Xander.

              Comment


              • #8
                Graag gedaan hoor.

                Comment

                Sorry, you are not authorized to view this page
                Working...
                X