Mededeling

Collapse
No announcement yet.

Cpu 100% Csrss.exe?

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Cpu 100% Csrss.exe?

    Hallo,

    Ik heb een probleem met een PC, deze blijft nl. continu op 100% CPU gebruik.
    het prog CSRSS.EXE staat altijd bovenaan in de lijst van lopende programma's die het meest gebruikt (~45-70%)
    Ik had al gezocht hierop naar oplossingen op internet maar kom er nog niet vanaf.
    op de PC gezocht naar het bestand, en hij staat op de goede plek C:\Windows\System32, met de goede bestandsgrootte, 6KB.

    Hier de log van Hijackthis;

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:53:59, on 22-2-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\SYSTEM32\TASKMON.EXE
    C:\WINDOWS\SYSTEM32\cmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tlntsvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\SYSTEM32\TASKMON.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159103009224
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fotoservice.dixons.nl/Dixons/UserControls/Part/Upload/ImageUploader4.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 4501 bytes

    Alvast bedankt voor de reacties

  • #2
    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\SYSTEM32\TASKMON.EXE

    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.

    Download Combofix naar je Bureaublad.
    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
    • Dubbelklik op Combofix.exe
      Volg de instructies, aanvaard de disclaimer door Yes te klikken.
      Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
    Plaats dit log in je volgende post samen met een nieuw HijackThis log.

    Comment


    • #3
      Dat heb ik nu gedaan, het probleem blijft nog bestaan, CPU nog 100% met CSRSS.exe. als grootste "mis"bruiker.
      Dat was ik nog vergeten bij mijn openingspost, tijdens het opstarten van de pc opent er altijd een verkennerscherm naar deze plek C:\Documents and Settings\Admin << admin als huidige gebruiker.

      Hier trouwens de log van Combofix, en een nieuwe Hijackthis log

      Combofix:
      ComboFix 08-02-25.2 - Admin 2008-02-25 13:59:06.1 - NTFSx86
      Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.461 [GMT 1:00]
      Gestart vanuit: C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\ODIFCXQV\ComboFix[1].exe
      * Nieuw herstelpunt werd aangemaakt

      WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
      .

      (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      F:\Autorun.inf

      .
      (((((((((((((((((((( Bestanden Gemaakt van 2008-01-25 to 2008-02-25 ))))))))))))))))))))))))))))))
      .

      2008-02-22 13:53 . 2008-02-22 13:53 <DIR> d-------- C:\Program Files\Trend Micro
      2008-02-21 15:06 . 2008-02-21 15:06 <DIR> d-------- C:\Documents and Settings\Groep A\Application Data\Uniblue
      2008-02-21 14:15 . 2006-09-23 22:54 <DIR> d--h----- C:\Documents and Settings\Admin\Sjablonen
      2008-02-21 14:15 . 2008-02-21 14:15 <DIR> dr-h----- C:\Documents and Settings\Admin\Onlangs geopend
      2008-02-21 14:15 . 2006-09-24 00:41 <DIR> d--h----- C:\Documents and Settings\Admin\Netwerkprinteromgeving
      2008-02-21 14:15 . 2008-02-22 13:58 <DIR> dr------- C:\Documents and Settings\Admin\Mijn documenten
      2008-02-21 14:15 . 2006-09-24 00:41 <DIR> dr------- C:\Documents and Settings\Admin\Menu Start
      2008-02-21 14:15 . 2008-02-25 13:56 <DIR> dr------- C:\Documents and Settings\Admin\Favorieten
      2008-02-21 14:15 . 2008-02-22 13:53 <DIR> d-------- C:\Documents and Settings\Admin\Bureaublad
      2008-02-15 10:01 . 2008-02-15 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
      2008-02-15 10:00 . 2008-02-15 10:00 <DIR> d-------- C:\Program Files\ReflexiveArcade
      2008-02-01 19:20 . 2008-02-01 19:20 131,726 -rahs---- C:\WINDOWS\system32\TASKMON.EXE
      2008-02-01 08:01 . 2008-02-01 08:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
      2008-02-01 07:59 . 2008-02-01 07:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
      2008-02-01 07:59 . 2008-02-01 08:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

      .
      ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2008-02-07 12:18 --------- d-----w C:\Program Files\Common Files\Adobe
      2008-01-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\TERMINAL Studio
      2008-01-10 20:30 --------- d-----w C:\Documents and Settings\Marcel\Application Data\dvdcss
      2008-01-10 20:18 --------- d-----w C:\Documents and Settings\Marcel\Application Data\vlc
      2008-01-10 19:43 --------- d-----w C:\Documents and Settings\Groep A\Application Data\dvdcss
      2008-01-10 19:42 --------- d-----w C:\Documents and Settings\Groep A\Application Data\vlc
      2008-01-10 19:41 --------- d-----w C:\Program Files\VideoLAN
      2008-01-10 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
      2008-01-10 18:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
      2007-12-07 01:08 662,528 ----a-w C:\WINDOWS\system32\wininet.dll
      2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
      .

      ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      REGEDIT4
      *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
      "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
      "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976]
      "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 06:00 90182]
      "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00 139347]
      "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
      "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
      "taskmon"="C:\WINDOWS\SYSTEM32\TASKMON.EXE" [2008-02-01 19:20 131726]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "C:\\Program Files\\Messenger\\msmsgs.exe"=
      "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
      "C:\\Program Files\\MSN Messenger\\livecall.exe"=
      "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=


      .
      **************************************************************************

      catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2008-02-25 14:01:12
      Windows 5.1.2600 Service Pack 2 NTFS

      scannen van verborgen processen ...

      scannen van verborgen autostart items ...

      scannen van verborgen bestanden ...

      Scan succesvol afgerond
      verborgen bestanden: 0

      **************************************************************************
      .
      Voltooingstijd: 2008-02-25 14:02:12
      ComboFix-quarantined-files.txt 2008-02-25 13:01:55
      .
      2008-02-13 12:00:46 --- E O F ---


      Hijackthis:
      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 14:06:54, on 25-2-2008
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Sygate\SPF\smc.exe
      C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\igfxtray.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
      C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
      C:\WINDOWS\SYSTEM32\TASKMON.EXE
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\MSN Messenger\msnmsgr.exe
      C:\WINDOWS\SYSTEM32\cmd.exe
      C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
      C:\Program Files\Network Associates\VirusScan\Mcshield.exe
      C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\system32\tlntsvr.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
      C:\WINDOWS\system32\find.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
      O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
      O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
      O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
      O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
      O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\SYSTEM32\TASKMON.EXE
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
      O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159103009224
      O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fotoservice.dixons.nl/Dixons/UserControls/Part/Upload/ImageUploader4.cab
      O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
      O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
      O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
      O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

      --
      End of file - 4571 bytes

      Comment


      • #4
        Had je de regel met O4 taskmon wel geselecteerd met hijackthis, zoals in bericht #2 gevraagd?

        Comment


        • #5
          Dat heb ik, goed dat je het zegt, ik had dat niet opgemerkt, maar ik heb beide regels geselecteerd, en die laten fixen

          Comment


          • #6
            Installeer ComboFix op je bureaublad, zoals beschreven in bericht #2.

            Open Kladblok, kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

            • File::
              C:\WINDOWS\SYSTEM32\TASKMON.EXE"

              Registry::
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              taskmon"=-


            Sla dit op op je Bureaublad als CFScript.txt.

            Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :



            Dit zal ComboFix doen herstarten.

            Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van Combofix.txt in je volgende antwoord samen met een nieuw log van hijackthis.

            Comment


            • #7
              Gedaan, Hier de beide nieuwe logs.
              Het probleem van de hoge CPU load is nu over, en ook het probleem van het verkennerscherm wat bij het opstarten tevoorschijn komt is over.
              Bedankt voor de hulp.


              Combofix:
              ComboFix 08-02-25.3 - Admin 2008-02-25 17:17:01.2 - NTFSx86
              Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.474 [GMT 1:00]
              Gestart vanuit: C:\Documents and Settings\Admin\Bureaublad\ComboFix.exe
              Command switches used :: C:\Documents and Settings\Admin\Bureaublad\CFScript.txt
              * Nieuw herstelpunt werd aangemaakt

              WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

              FILE ::
              C:\WINDOWS\SYSTEM32\TASKMON.EXE"
              .

              (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
              .

              C:\WINDOWS\SYSTEM32\TASKMON.EXE
              F:\Autorun.inf

              .
              (((((((((((((((((((( Bestanden Gemaakt van 2008-01-25 to 2008-02-25 ))))))))))))))))))))))))))))))
              .

              2008-02-22 13:53 . 2008-02-22 13:53 <DIR> d-------- C:\Program Files\Trend Micro
              2008-02-21 15:06 . 2008-02-21 15:06 <DIR> d-------- C:\Documents and Settings\Groep A\Application Data\Uniblue
              2008-02-21 14:15 . 2006-09-23 22:54 <DIR> d--h----- C:\Documents and Settings\Admin\Sjablonen
              2008-02-21 14:15 . 2008-02-25 17:15 <DIR> dr-h----- C:\Documents and Settings\Admin\Onlangs geopend
              2008-02-21 14:15 . 2006-09-24 00:41 <DIR> d--h----- C:\Documents and Settings\Admin\Netwerkprinteromgeving
              2008-02-21 14:15 . 2008-02-22 13:58 <DIR> dr------- C:\Documents and Settings\Admin\Mijn documenten
              2008-02-21 14:15 . 2006-09-24 00:41 <DIR> dr------- C:\Documents and Settings\Admin\Menu Start
              2008-02-21 14:15 . 2008-02-25 13:56 <DIR> dr------- C:\Documents and Settings\Admin\Favorieten
              2008-02-21 14:15 . 2008-02-25 17:16 <DIR> d-------- C:\Documents and Settings\Admin\Bureaublad
              2008-02-15 10:01 . 2008-02-15 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
              2008-02-15 10:00 . 2008-02-15 10:00 <DIR> d-------- C:\Program Files\ReflexiveArcade
              2008-02-01 08:01 . 2008-02-01 08:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2
              2008-02-01 07:59 . 2008-02-01 07:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
              2008-02-01 07:59 . 2008-02-01 08:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

              .
              ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2008-02-07 12:18 --------- d-----w C:\Program Files\Common Files\Adobe
              2008-01-19 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\TERMINAL Studio
              2008-01-10 20:30 --------- d-----w C:\Documents and Settings\Marcel\Application Data\dvdcss
              2008-01-10 20:18 --------- d-----w C:\Documents and Settings\Marcel\Application Data\vlc
              2008-01-10 19:43 --------- d-----w C:\Documents and Settings\Groep A\Application Data\dvdcss
              2008-01-10 19:42 --------- d-----w C:\Documents and Settings\Groep A\Application Data\vlc
              2008-01-10 19:41 --------- d-----w C:\Program Files\VideoLAN
              2008-01-10 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
              2008-01-10 18:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
              2007-12-07 01:08 662,528 ----a-w C:\WINDOWS\system32\wininet.dll
              2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
              .

              ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              REGEDIT4
              *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03 15360]
              "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
              "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976]
              "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-03-06 06:00 90182]
              "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-02-25 11:00 139347]
              "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 18:40 2577632]
              "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
              "taskmon"="C:\WINDOWS\SYSTEM32\TASKMON.EXE" [ ]

              [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
              "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360]

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "%windir%\\system32\\sessmgr.exe"=
              "C:\\Program Files\\Messenger\\msmsgs.exe"=
              "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
              "C:\\Program Files\\MSN Messenger\\livecall.exe"=
              "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=


              .
              **************************************************************************

              catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2008-02-25 17:19:01
              Windows 5.1.2600 Service Pack 2 NTFS

              scannen van verborgen processen ...

              scannen van verborgen autostart items ...

              scannen van verborgen bestanden ...

              Scan succesvol afgerond
              verborgen bestanden: 0

              **************************************************************************
              .
              Voltooingstijd: 2008-02-25 17:20:08
              ComboFix-quarantined-files.txt 2008-02-25 16:19:42
              ComboFix2.txt 2008-02-25 13:02:13
              .
              2008-02-13 12:00:46 --- E O F ---

              Hijackthis:
              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 17:20:31, on 25-2-2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
              Boot mode: Normal

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\Program Files\Sygate\SPF\smc.exe
              C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
              C:\Program Files\Network Associates\VirusScan\Mcshield.exe
              C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\wscntfy.exe
              C:\WINDOWS\system32\igfxtray.exe
              C:\WINDOWS\system32\hkcmd.exe
              C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
              C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\MSN Messenger\msnmsgr.exe
              C:\WINDOWS\system32\tlntsvr.exe
              C:\WINDOWS\system32\notepad.exe
              C:\WINDOWS\explorer.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
              O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
              O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
              O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
              O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
              O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
              O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
              O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
              O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
              O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
              O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
              O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\SYSTEM32\TASKMON.EXE
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
              O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
              O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
              O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
              O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
              O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159103009224
              O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fotoservice.dixons.nl/Dixons/UserControls/Part/Upload/ImageUploader4.cab
              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
              O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
              O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
              O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
              O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

              --
              End of file - 4479 bytes

              Comment


              • #8
                Mooi dat je CPU nu weer rustig is. Zal toch een backdoor virus zijn geweest.

                Zou je het volgende bestand (dat nu in quarantaine is geplaatst) eens willen scannen bij Jotti
                C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\TASKMON.EXE
                Post het resultaat.

                Ik was een dubbel quote vergeten om taskmon ook uit het register te verwijderen.

                Start Hijackthis op en kies voor 'Do a system scan only'
                Selecteer alleen de items die hieronder zijn genoemd:

                O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\SYSTEM32\TASKMON.EXE

                Klik op 'Fix checked' om de items te verwijderen.

                Post er controle nog een log van hijackthis.

                Comment


                • #9
                  Het heeft even geduurt voor ik weer met deze pc aan de gang kon, maar het is nu gedaan.

                  Jotty:
                  Scan taken on 01 Mar 2008 13:56:56 (GMT)
                  A-Squared Found Trojan-Dropper.Win32.QuickBatch.l
                  AntiVir Found TR/Dldr.131838
                  ArcaVir Found nothing
                  Avast Found nothing
                  AVG Antivirus Found nothing
                  BitDefender Found nothing
                  ClamAV Found Trojan.Downloader-20128
                  CPsecure Found Troj.Downloader.W32.Dadobra.wx
                  Dr.Web Found nothing
                  F-Prot Antivirus Found nothing
                  F-Secure Anti-Virus Found nothing
                  Fortinet Found nothing
                  Ikarus Found nothing
                  Kaspersky Anti-Virus Found nothing
                  NOD32 Found nothing
                  Norman Virus Control Found nothing
                  Panda Antivirus Found nothing
                  Rising Antivirus Found nothing
                  Sophos Antivirus Found nothing
                  VirusBuster Found nothing
                  VBA32 Found Trojan-Downloader.Win32.Dadobra.sd

                  Hijackthis:
                  Logfile of Trend Micro HijackThis v2.0.2
                  Scan saved at 15:08:40, on 1-3-2008
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v7.00 (7.00.6000.16608)
                  Boot mode: Normal

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\Sygate\SPF\smc.exe
                  C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
                  C:\Program Files\Network Associates\VirusScan\Mcshield.exe
                  C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\system32\igfxtray.exe
                  C:\WINDOWS\system32\hkcmd.exe
                  C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
                  C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
                  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                  C:\WINDOWS\system32\ctfmon.exe
                  C:\WINDOWS\system32\wuauclt.exe
                  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yugop.com/ver3/stuff/29/bclock.html
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                  O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
                  O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
                  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
                  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
                  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
                  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
                  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
                  O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
                  O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
                  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                  O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                  O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
                  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
                  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
                  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
                  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
                  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
                  O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159103009224
                  O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://fotoservice.dixons.nl/Dixons/UserControls/Part/Upload/ImageUploader4.cab
                  O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
                  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
                  O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
                  O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
                  O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
                  O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

                  --
                  End of file - 5516 bytes

                  Comment


                  • #10
                    Het is inderdaad een Trojan. Het nieuw log van hijackthis is in orde.

                    Verwijder ComboFix via Start > Uitvoeren, kopiëer en plak Combofix /U klik op OK of toets Enter.
                    Dit verwijdert zowel ComboFix, als je oude systeemherstelpunten (met eventuele restanten van malware), en maakt een nieuw systeemherstelpunt aan.

                    Lees hier hoe je nieuwe infecties kan voorkomen!

                    Ik zal dit topic als opgelost markeren.

                    Comment

                    Sorry, you are not authorized to view this page
                    Working...
                    X