Mededeling

Collapse
No announcement yet.

Windows has detected spyware infection

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Windows has detected spyware infection

    Sinds een aantal dagen geeft mijn ouders pc de volgende melding: Windows has detected spyware infection! blabla... Daarbij een rood kruisje in de taakbalk.

    Ook komt er een popup tevoorschijn van Windows Security alert met de melding: Warning! Potential Spyware Operation! blabla...

    Dit probleem kwam ik ook tegen in deze thread http://www.nucia.eu/forum/showthread.php?t=13343 waarna ik de oplossing die aangegeven is in deze thread gevolgd heb.

    Hier het smitrem.exe log:

    smitRem © log file
    version 3.2

    by noahdfear


    Microsoft Windows XP [versie 5.1.2600]
    "IE"="6.0000"

    Running from
    C:\Documents and Settings\Adri\Bureaublad\smitRem

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Pre-run SharedTask Export

    (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
    Copyright(C) 2006 BleepingComputer.com

    Registry Pseudo-Format Mode (Not a valid reg file):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Appinitdll check ........ Thank you Grinler!

    dumphive.exe (C)2000-2004 Markus Stephany
    REGEDIT4

    [Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    XP Firewall allowed access

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\WINDOWS\\TEMP\\win84.exe"="C:\\WINDOWS\\TEMP\\win84.exe:*:Enabled:win84"
    "C:\\WINDOWS\\TEMP\\win29.exe"="C:\\WINDOWS\\TEMP\\win29.exe:*:Enabled:win29"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!


    checking for drsmartload2 key


    drsmartload2 key not present!

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present
    SpywareStrike uninstaller NOT present
    AlfaCleaner uninstaller NOT present
    SpyFalcon uninstaller NOT present
    SpywareQuake uninstaller NOT present
    SpywareSheriff uninstaller NOT present
    Trust Cleaner uninstaller NOT present
    SpyHeal uninstaller NOT present
    VirusBurst uninstaller NOT present
    BraveSentry uninstaller NOT present
    AntiVermins uninstaller NOT present
    VirusBursters uninstaller NOT present

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 940 'explorer.exe'

    Starting registry repairs

    Registry repairs complete

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SharedTask Export after registry fix

    (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
    Copyright(C) 2006 BleepingComputer.com

    Registry Pseudo-Format Mode (Not a valid reg file):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
    @="%SystemRoot%\system32\browseui.dll"


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Deleting files

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~



    ~~~ Wininet.dll ~~~

    CLEAN!

    En hier het AVG log:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 21:17:00 28-1-2008

    + Scan result:



    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Msn : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Weborama : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.
    C:\Documents and Settings\Adri\Cookies\[email protected][1].txt -> TrackingCookie.Yadro : Cleaned.


    ::Report end

    Hier het panda online log:

    Incident Status Location

    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Adri\Bureaublad\smitRem\Process.exe
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][2].txt
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][2].txt
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Adri\Cookies\[email protected][1].txt
    Virus:Trj/Banker.JER Not disinfected C:\Program Files\InstallShield Installation Information\{76542EE3-5849-11D2-9C18-00609707C0FF}\data1.cab[wget.exe]


    En hier het verse Hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:26:05, on 31-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Adri\Mijn documenten\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvjak.dll,startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5218/mcfscan.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: wingmo32 - C:\WINDOWS\SYSTEM32\wingmo32.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


    Ondertussen gaan de popups met spyware waarschuwingen gewoon door. Heeft iemand enig idee wat de oplossing hiervoor kan zijn? Alvast heel erg bedankt voor de moeite.

    Groeten, Sander

  • #2
    Doe dit Sander:

    Je gebruikt een oude versie van HijackThis. Best dat je deze versie gebruikt: http://www.trendsecure.com/portal/en...HJTInstall.exe


    Sluit alle open vensters.
    Start HijackThis nog een keer en plaats een vinkje bij de volgende items:

    O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvjak.dll,startup
    O20 - Winlogon Notify: wingmo32 - C:\WINDOWS\SYSTEM32\wingmo32.dll


    Klik daarna op "Fix checked" en sluit HijackThis af.

    Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden
    Volg de instructies die daar gegeven worden. Is er iets niet duidelijk, dan vraag je het.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

    Comment


    • #3
      Bedankt voor je snelle reactie.

      Hier het combofix log:

      ComboFix 08-02.01.1 - Adri 2008-01-31 20:55:31.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.74 [GMT 1:00]
      Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe
      * Nieuw herstelpunt werd aangemaakt

      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
      .

      (((((((((((((((((((( Bestanden Gemaakt van 2008-01-01 to 2008-02.01 ))))))))))))))))))))))))))))))
      .

      2008-01-30 19:04 . 2008-01-30 19:04 <DIR> d-------- C:\WINDOWS\McAfee.com
      2008-01-29 21:37 . 2008-01-29 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
      2008-01-28 22:01 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
      2008-01-28 21:59 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\xltvigfrxwbb.sys
      2008-01-28 21:34 . 2008-01-28 22:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
      2008-01-28 21:34 . 2008-01-28 21:55 30,590 --a------ C:\WINDOWS\system32\pavas.ico
      2008-01-28 21:34 . 2008-01-28 21:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
      2008-01-28 21:34 . 2008-01-28 21:55 1,406 --a------ C:\WINDOWS\system32\Help.ico
      2008-01-28 19:22 . 2008-01-28 19:22 <DIR> d-------- C:\Documents and Settings\Adri\Application Data\Grisoft
      2008-01-28 19:21 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
      2008-01-28 19:20 . 2008-01-28 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
      2008-01-28 19:13 . 2008-01-28 19:13 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten
      2008-01-27 15:17 . 2008-01-27 15:17 0 --a------ C:\WINDOWS\vpc32.INI
      2008-01-27 11:35 . 2008-01-27 11:35 15,872 --a------ C:\WINDOWS\system32\drvjak.dll
      2008-01-26 16:42 . 2008-01-26 16:42 23,552 --a------ C:\WINDOWS\system32\wingmo32.dll

      .
      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-01-31 19:12 --------- d-----w C:\Program Files\Symantec AntiVirus
      2008-01-28 21:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
      2008-01-28 21:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
      2008-01-27 14:20 --------- d-----w C:\Program Files\Google
      2008-01-25 17:53 --------- d-----w C:\Program Files\nipo.n
      2007-11-20 16:09 47,670 ----a-w C:\Documents and Settings\Adri\Application Data\mdb.bin
      2007-09-22 20:06 17,528 ----a-w C:\Documents and Settings\Adri\Application Data\GDIPFONTCACHEV1.DAT
      .

      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
      "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:15 1667584]
      "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 16:38 52840]
      "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 18:49 125632]
      "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
      "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
      "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

      C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
      BlackICE PC Protection.lnk - C:\Program Files\Network ICE\BlackICE\blackice.exe [2007-07-02 19:38:07 778240]
      hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 17:21:38 147456]
      hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 17:11:12 28672]
      Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

      R0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 11:39]
      R3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 10:43]
      R4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2005-03-30 09:40]
      S3 MadgeTRN;NDIS5-stuurprogramma voor Madge Token-Ring Adapter;C:\WINDOWS\system32\DRIVERS\mdgndis5.sys [2001-09-06 19:48]
      S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-10-24 15:57]
      S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26]
      S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26]

      .
      Inhoud van de 'Gedeelde Taken' map
      "2008-01-19 17:58:25 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1192812519.job"
      - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-02-01 21:02:16
      Windows 5.1.2600 Service Pack 2 NTFS

      scannen van verborgen processen ...

      scannen van verborgen autostart items ...

      scannen van verborgen bestanden ...

      Scan succesvol afgerond
      verborgen bestanden: 0

      **************************************************************************
      .
      --------------------- DLLs Geladen Onder Lopende Processen ---------------------

      PROCESS: C:\WINDOWS\system32\winlogon.exe
      -> C:\WINDOWS\system32\wingmo32.dll
      .
      Voltooingstijd: 2008-02-01 21:04:46

      En hier het nieuwe Hijack log:

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 21:06:58, on 1-2-2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\Program Files\Network ICE\BlackICE\blackd.exe
      C:\Program Files\Symantec AntiVirus\DefWatch.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Symantec AntiVirus\Rtvscan.exe
      C:\Program Files\Common Files\Symantec Shared\ccApp.exe
      C:\PROGRA~1\SYMANT~1\VPTray.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Network ICE\BlackICE\blackice.exe
      C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
      C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
      C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
      C:\WINDOWS\system32\HPZipm12.exe
      C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      C:\Documents and Settings\Adri\Mijn documenten\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
      O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
      O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
      O4 - Global Startup: hp psc 1000 series.lnk = ?
      O4 - Global Startup: hpoddt01.exe.lnk = ?
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
      O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5218/mcfscan.cab
      O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
      O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
      O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
      O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
      O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

      --
      End of file - 5812 bytes

      Comment


      • #4
        Ga naar deze website: http://www.virustotal.com/en/indexf.html
        Laat volgend bestandje scannen: C:\WINDOWS\system32\drivers\xltvigfrxwbb.sys
        Post het resultaat van de scan.

        Deze bestanden mag je verwijderen:
        C:\WINDOWS\system32\drvjak.dll
        C:\WINDOWS\vpc32.INI
        C:\WINDOWS\system32\wingmo32.dll

        Comment


        • #5
          wingmo32.dll krijg ik handmatig neit verwijderd. Hij geeft aan dat de toegang geweigerd is. Overige bestanden zijn wel verwijderd.

          Hier het resultaat van de scan:

          Bestand xltvigfrxwbb.sys ontvangen op 2008.01.31 21:36:25 (CET)
          Huidig status: Laden ... In wachtrij Wachtende Aan het scannen Einde NIET GEVONDEN GESTOPT

          Resultaat: 0/31 (0%)

          Antivirus Versie Laatst geüpdatet Resultaat
          AhnLab-V3 2008.2.1.10 2008.01.31 -
          AntiVir 7.6.0.59 2008.01.31 -
          Authentium 4.93.8 2008.01.31 -
          Avast 4.7.1098.0 2008.01.31 -
          AVG 7.5.0.516 2008.01.31 -
          BitDefender 7.2 2008.01.31 -
          CAT-QuickHeal 9.00 2008.01.30 -
          ClamAV 0.92 2008.01.31 -
          DrWeb 4.44.0.09170 2008.01.31 -
          eSafe 7.0.15.0 2008.01.28 -
          eTrust-Vet 31.3.5500 2008.01.31 -
          Ewido 4.0 2008.01.31 -
          FileAdvisor 1 2008.01.31 -
          Fortinet 3.14.0.0 2008.01.31 -
          F-Prot 4.4.2.54 2008.01.30 -
          F-Secure 6.70.13260.0 2008.01.31 -
          Ikarus T3.1.1.20 2008.01.31 -
          Kaspersky 7.0.0.125 2008.01.31 -
          McAfee 5220 2008.01.31 -
          Microsoft 1.3109 2008.01.31 -
          NOD32v2 2840 2008.01.31 -
          Norman 5.80.02 2008.01.31 -
          Panda 9.0.0.4 2008.01.30 -
          Prevx1 V2 2008.01.31 -
          Rising 20.29.22.00 2008.01.30 -
          Sophos 4.25.0 2008.01.31 -
          Sunbelt 2.2.907.0 2008.01.31 -
          TheHacker 6.2.9.203 2008.01.30 -
          VBA32 3.12.2.6 2008.01.31 -
          VirusBuster 4.3.26:9 2008.01.31 -
          Webwasher-Gateway 6.6.2 2008.01.31 -
          Extra informatie
          File size: 8576 bytes
          MD5: d7dbfbc453b645111e6d21142305e80b
          SHA1: e134b78030cfca8dbfd0af144193fc445db86572
          PEiD: -

          Comment


          • #6
            Zijn er nog problemen momenteel?

            Comment


            • #7
              De meldingen en popups over de spyware zijn verdwenen. Verder zie ik ook geen vreemde processen en alles draait weer zoals het was. Bedankt voor je hulp!

              Sander

              Comment


              • #8
                Doe dit nog even Sander:

                Voer een onlinescan uit met de ESET Online Scanner.
                Vink aan: YES, I accept the Terms Of Use.
                Klik op de knop Start.
                Klik daarna op de knop Install.
                Klik op Start.

                De scanner zal nu initialiseren en updaten.
                Vink Remove found threats NIET aan, tenzij dit gevraagd wordt.
                Klik op de knop Scan.

                Wacht geduldig af tot de scan voltooid is, dit kan een tijdje duren.
                Wanneer de scan klaar is, klik je op de tab Details.
                Kopiëer en plak de inhoud van dit venster in je volgende post.
                (Je vindt dit ook terug als C:\Program Files\EsetOnlineScanner\log.txt)

                Comment

                Sorry, you are not authorized to view this page
                Working...
                X