Mededeling

Collapse
No announcement yet.

Virus ?

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Virus ?

    Hoi allemaal,

    Een vriend van me belde op met een probleem, zijn scherm vertoond allemaal rare strepen en blokjes. Dit is sinds een dag aan de gang. AVG Anti_malware heeft een aantal dingen in quarantaine gezet. De PC is verder alleen de booten in de veilige modus, in de normale modus gaat het scherm op zwart.
    De Avast cleaner die ik gedraaid heb, heeft niets gevonden.

    Via http://hijackthis.de/index.php?langselect=english#anl had ik de log al gecontroleerd en daar vinden ze niets vreemds.
    In de bijlage (xls) staan de virusnamen en plaatsen van wat AVG gedetecteerd heeft, zoeken op internet heeft me niets wijzer gemaakt.
    Alvast bedankt voor de hulp.

    Logfile:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:56:08, on 11-4-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\CrossLoop\CrossLoopConnect.exe
    C:\Program Files\CrossLoop\winvnc.exe
    C:\Documents and Settings\xx\Bureaublad\aswclnr.exe
    C:\Documents and Settings\xx\Bureaublad\aswclnr.tmp
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\fccyywxY.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: (no name) - {B8078F11-B7D3-4033-90B3-6A59309AEA91} - C:\WINDOWS\system32\hgGxUMcY.dll (file missing)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.nl/s/v/29.55/uploader2.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203773670656
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203773731578
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
    O20 - Winlogon Notify: fccyywxY - fccyywxY.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    --
    End of file - 6345 bytes
    Bijgevoegde Bestanden

  • #2
    Download dit bestand: zoek.exe
    Dubbelklik het, na een tijdje opent er een logje.
    Post de inhoud van dit logje in je volgende bericht

    Comment


    • #3
      ======C:\WINDOWS====
      ----a-w 0 2008-04-12 16:06:31 C:\WINDOWS\0.log
      ----a-w 1,157 2008-04-10 13:32:43 C:\WINDOWS\BM4f5f1685.txt
      ----a-w 99,986 2008-04-10 12:54:30 C:\WINDOWS\BM4f5f1685.xml
      --s-a-w 2,048 2008-04-12 16:05:48 C:\WINDOWS\bootstat.dat
      ----a-w 244,810 2008-04-10 13:10:47 C:\WINDOWS\comsetup.log
      ----a-w 27,553 2008-03-25 16:11:19 C:\WINDOWS\DirectX.log
      ----a-w 594 2008-03-27 18:36:18 C:\WINDOWS\EventSystem.log
      ----a-w 712,064 2008-04-10 13:10:47 C:\WINDOWS\FaxSetup.log
      ----a-w 111,443 2008-04-10 13:10:47 C:\WINDOWS\iis6.log
      ----a-w 1,374 2008-04-10 13:07:09 C:\WINDOWS\imsins.BAK
      ----a-w 1,374 2008-04-10 13:10:47 C:\WINDOWS\imsins.log
      ----a-w 21,098 2008-04-10 13:07:09 C:\WINDOWS\KB941693.log
      ----a-w 11,917 2008-04-10 13:04:42 C:\WINDOWS\KB945553.log
      ----a-w 22,637 2008-04-10 13:07:01 C:\WINDOWS\KB947864-IE7.log
      ----a-w 11,856 2008-04-10 13:04:59 C:\WINDOWS\KB948590.log
      ----a-w 16,736 2008-04-10 13:10:47 C:\WINDOWS\KB948881.log
      ----a-w 36,047 2008-04-10 13:10:47 C:\WINDOWS\msgsocm.log
      ----a-w 69 2008-04-09 21:54:06 C:\WINDOWS\NeroDigital.ini
      ----a-w 665,996 2008-04-12 16:07:18 C:\WINDOWS\ntbtlog.txt
      ----a-w 147,918 2008-04-10 13:10:47 C:\WINDOWS\ntdtcsetup.log
      ----a-w 352,890 2008-04-10 13:10:47 C:\WINDOWS\ocgen.log
      ----a-w 44,616 2008-04-10 13:10:47 C:\WINDOWS\ocmsn.log
      ----a-w 72 2008-04-07 14:34:25 C:\WINDOWS\OH4WIN.REG
      ----a-w 22 2008-04-10 13:32:14 C:\WINDOWS\pskt.ini
      ----a-w 32,570 2008-04-10 15:14:05 C:\WINDOWS\SchedLgU.Txt
      ----a-w 8,563 2008-04-10 21:02:51 C:\WINDOWS\setupapi.log
      ----a-w 1,587,830 2008-03-20 18:20:49 C:\WINDOWS\setupapi.log.0.old
      ----a-w 276,489 2008-04-10 13:10:47 C:\WINDOWS\tsoc.log
      ----a-w 85,559 2008-04-10 13:05:54 C:\WINDOWS\updspapi.log
      ----a-w 63 2008-04-10 13:10:25 C:\WINDOWS\vbaddin.ini
      ----a-w 159 2008-04-10 22:10:07 C:\WINDOWS\wiadebug.log
      ----a-w 49 2008-04-10 22:10:07 C:\WINDOWS\wiaservc.log
      ----a-w 1,074,946 2008-04-11 19:21:34 C:\WINDOWS\WindowsUpdate.log
      ----a-w 38,158 2008-04-09 22:16:43 C:\WINDOWS\wmsetup.log
      ----a-w 2,688 2008-04-09 22:11:29 C:\WINDOWS\wmsetup10.log

      Entries: 35 (34)
      Directories: 0 Files: 35
      Bytes: 5,641,351 Blocks: 11,039
      ======C:\WINDOWS\system32=====
      ----a-w 13 2008-04-10 14:29:11 C:\WINDOWS\System32\clkcnt.txt
      ----a-w 284,520 2008-04-10 13:24:11 C:\WINDOWS\System32\FNTCACHE.DAT
      ----a-w 19,836,024 2008-04-05 20:56:22 C:\WINDOWS\System32\MRT.exe
      ----a-w 285 2008-04-10 14:33:40 C:\WINDOWS\System32\MRT.INI
      ----a-w 3,648 2008-04-10 12:40:58 C:\WINDOWS\System32\oofsiqer.dll
      ----a-w 63,528 2008-03-30 09:25:07 C:\WINDOWS\System32\perfc009.dat
      ----a-w 83,226 2008-03-30 09:25:07 C:\WINDOWS\System32\perfc013.dat
      ----a-w 406,328 2008-03-30 09:25:07 C:\WINDOWS\System32\perfh009.dat
      ----a-w 471,832 2008-03-30 09:25:07 C:\WINDOWS\System32\perfh013.dat
      ----a-w 1,037,314 2008-03-30 09:25:07 C:\WINDOWS\System32\PerfStringBackup.INI
      ----a-w 1,845,376 2008-03-20 08:10:47 C:\WINDOWS\System32\win32k.sys
      ----a-w 13,646 2008-04-08 21:26:59 C:\WINDOWS\System32\wpa.dbl
      --sha-w 191,788 2008-04-10 15:01:01 C:\WINDOWS\System32\YcMUxGgh.ini
      --sha-w 191,788 2008-04-10 14:58:12 C:\WINDOWS\System32\YcMUxGgh.ini2

      Entries: 14 (12)
      Directories: 0 Files: 14
      Bytes: 24,429,316 Blocks: 47,722
      ======C:\WINDOWS\system32\drivers=====
      Entries: 0 (0)
      Directories: 0 Files: 0
      Bytes: 0 Blocks: 0
      =======C:\Program Files=====
      Entries: 0 (0)
      Directories: 0 Files: 0
      Bytes: 0 Blocks: 0
      =======C:=====
      ----a-w 488 2008-04-10 20:17:18 C:\hpfr5550.xml
      --sha-w 1,610,612,736 2008-04-12 16:05:39 C:\pagefile.sys
      ----a-w 571,648 2008-04-09 21:48:41 C:\winlogon.exe

      Entries: 3 (2)
      Directories: 0 Files: 3
      Bytes: 1,611,184,872 Blocks: 3,146,846
      ======C:\Documents and Settings\xx\Application Data======
      Entries: 0 (0)
      Directories: 0 Files: 0
      Bytes: 0 Blocks: 0
      ======C:\Temp======
      Entries: 0 (0)
      Directories: 0 Files: 0
      Bytes: 0 Blocks: 0
      ======C:\Documents and Settings\xx======
      ----a-w 166 2008-04-09 21:54:10 C:\Documents and Settings\xx\default.pls
      ---ha-w 5,242,880 2008-04-11 19:21:34 C:\Documents and Settings\xx\NTUSER.DAT
      ---ha-w 323,584 2008-04-12 16:08:50 C:\Documents and Settings\xx\ntuser.dat.LOG
      --sh--w 188 2008-04-11 19:21:34 C:\Documents and Settings\xx\ntuser.ini

      Entries: 4 (1)
      Directories: 0 Files: 4
      Bytes: 5,566,818 Blocks: 10,874
      ======C:\WINDOWS\Downloaded Program Files====
      Entries: 0 (0)
      Directories: 0 Files: 0
      Bytes: 0 Blocks: 0
      =============

      Comment


      • #4
        Open een kladblokbestand.
        Kopieer onderstaande (alles wat vetgedrukt is) in dit kladblokbestand.

        @ECHO OFF
        IF EXIST log.txt DEL log.txt
        ECHO Deleting files>>log.txt
        FOR %%g in (
        C:\WINDOWS\BM4f5f1685.txt
        C:\WINDOWS\BM4f5f1685.xml
        C:\WINDOWS\pskt.ini
        C:\WINDOWS\System32\clkcnt.txt
        C:\WINDOWS\System32\oofsiqer.dll
        C:\WINDOWS\System32\YcMUxGgh.ini
        C:\WINDOWS\System32\YcMUxGgh.ini2
        C:\hpfr5550.xml
        C:\winlogon.exe) DO (
        DEL /Q %%gNUCIA
        IF EXIST %%g (
        ATTRIB -r -s -h %%g
        DEL %%g
        REN %%g *NUCIA
        IF EXIST %%gNUCIA (
        ECHO renamed to %%gNUCIA>>log.txt)
        IF EXIST %%g (
        ECHO %%g not deleted>>log.txt
        ) ELSE (
        ECHO %%g deleted>>log.txt)
        ) ELSE (
        ECHO %%g not found>>log.txt))
        START NOTEPAD.EXE log.txt

        Ga naar Bestand - Opslaan als.
        Bij "Opslaan in" kies je: Bureaublad
        Bij "Bestandsnaam" zet je: del.bat
        Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
        Klik op de knop Opslaan.

        Dubbelklik op del.bat en post de inhoud van de logfile die opent.

        Comment


        • #5
          Ok de log:

          Deleting files
          C:\WINDOWS\BM4f5f1685.txt deleted
          C:\WINDOWS\BM4f5f1685.xml deleted
          C:\WINDOWS\pskt.ini deleted
          C:\WINDOWS\System32\clkcnt.txt deleted
          C:\WINDOWS\System32\oofsiqer.dll deleted
          C:\WINDOWS\System32\YcMUxGgh.ini deleted
          C:\WINDOWS\System32\YcMUxGgh.ini2 deleted
          C:\hpfr5550.xml deleted
          C:\winlogon.exe deleted

          Comment


          • #6
            Post nu even een nieuw logje van Hijackthis en vertel of er nog problemen zijn

            Comment


            • #7
              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 17:16:45, on 14-4-2008
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v7.00 (7.00.6000.16640)
              Boot mode: Safe mode with network support

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\svchost.exe
              C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
              C:\WINDOWS\Explorer.EXE
              C:\WINDOWS\system32\ctfmon.exe
              C:\Program Files\Internet Explorer\iexplore.exe
              C:\Program Files\CrossLoop\CrossLoopConnect.exe
              C:\Program Files\CrossLoop\winvnc.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
              O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
              O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
              O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\fccyywxY.dll (file missing)
              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
              O2 - BHO: (no name) - {B8078F11-B7D3-4033-90B3-6A59309AEA91} - C:\WINDOWS\system32\hgGxUMcY.dll (file missing)
              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
              O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
              O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
              O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
              O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
              O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
              O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
              O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
              O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
              O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
              O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
              O4 - Global Startup: hpoddt01.exe.lnk = ?
              O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
              O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
              O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
              O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
              O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.nl/s/v/29.55/uploader2.cab
              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203773670656
              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203773731578
              O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
              O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
              O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
              O20 - Winlogon Notify: fccyywxY - fccyywxY.dll (file missing)
              O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
              O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
              O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
              O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
              O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
              O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
              O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
              O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
              O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
              O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
              O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

              --
              End of file - 6215 bytes

              Comment


              • #8
                Start Hijackthis en vink alleen de volgende regels aan:
                O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINDOWS\system32\fccyywxY.dll (file missing)
                O2 - BHO: (no name) - {B8078F11-B7D3-4033-90B3-6A59309AEA91} - C:\WINDOWS\system32\hgGxUMcY.dll (file missing)
                O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
                O20 - Winlogon Notify: fccyywxY - fccyywxY.dll (file missing)

                Sluit alle openstaande vensters(behalve Hijackthis) en klik op "Fix checked".

                Download ATF cleaner (mirror)(gemaakt door Atribune)

                Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

                Dubbelklik op ATF cleaner om het programma te starten.
                Op het tabblad "Main", plaats je een vinkje bij Select All.
                Klik op de knop Empty Selected.

                Het volgende doen als je ook FireFox als browser hebt:
                Klik op tabblad "Firefox", plaats een vinkje bij Select All.
                Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                (dit haalt het vinkje weer weg bij "Firefox saved passwords")
                Klik op de knop Empty Selected.

                Het volgende doen als je ook Opera als browser hebt:
                Klik op tabblad "Opera", plaats een vinkje bij Select All.
                Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
                Klik op de knop Empty Selected.
                Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

                Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
                Kijk hier hoe je je systeemherstel moet uitschakelen.
                Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

                Post een nieuw logje van Hijackthis ter controle en vertel of er nog problemen zijn

                Comment


                • #9
                  Logfile of Trend Micro HijackThis v2.0.2
                  Scan saved at 21:36:55, on 14-4-2008
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v7.00 (7.00.6000.16640)
                  Boot mode: Normal

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                  C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                  C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
                  C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                  C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
                  C:\WINDOWS\system32\pctspk.exe
                  C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\WINDOWS\SOUNDMAN.EXE
                  C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
                  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
                  C:\WINDOWS\system32\ctfmon.exe
                  C:\Program Files\Windows Sidebar\sidebar.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
                  C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
                  C:\Program Files\Windows Sidebar\sidebar.exe
                  C:\WINDOWS\system32\HPZipm12.exe
                  C:\WINDOWS\system32\wuauclt.exe
                  C:\Program Files\CrossLoop\CrossLoopConnect.exe
                  C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
                  C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
                  O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
                  O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
                  O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
                  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
                  O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
                  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
                  O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
                  O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
                  O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
                  O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
                  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
                  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
                  O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
                  O4 - Global Startup: hpoddt01.exe.lnk = ?
                  O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
                  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
                  O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
                  O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
                  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
                  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.nl/s/v/29.55/uploader2.cab
                  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203773670656
                  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203773731578
                  O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
                  O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
                  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
                  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
                  O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
                  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
                  O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
                  O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
                  O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
                  O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
                  O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
                  O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
                  O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

                  --
                  End of file - 6689 bytes

                  Beeld is op dit moment weer goed, bedankt voor de hulp
                  Maar waren de trojans nu het probleem van het rare beeld ?

                  Comment


                  • #10
                    Oorspronkelijk geplaatst door maniac2003 Bekijk Berichten
                    Beeld is op dit moment weer goed, bedankt voor de hulp
                    Maar waren de trojans nu het probleem van het rare beeld ?
                    Blijkbaar wel, het systeem werd helemaal ontregeld door de infectie, ik neem aan dat er door de infectie softwareconflicten ontstonden.

                    Logje ziet er nu weer goed uit trouwens

                    Comment


                    • #11
                      Heel erg bedankt, anders had er weer een herinstallatie voor hem ingezeten.

                      Comment


                      • #12
                        Graag gedaan hoor

                        Comment


                        • #13
                          Kreeg zojuist een mail, het probleem is weer terug gekomen. Aangezien de pc nu verlost zou moeten zijn van de actieve infecties, zou ik denken aan een eventueel hardware probleempje. Er is niets (nieuws) gedownload wat infecties zou kunnen bevatten.
                          Last edited by maniac2003; 15-04-08, 20:54.

                          Comment


                          • #14
                            Oorspronkelijk geplaatst door maniac2003 Bekijk Berichten
                            Kreeg zojuist een mail, het probleem is weer terug gekomen. Aangezien de pc nu verlost zou moeten zijn van de actieve infecties, zou ik denken aan een eventueel hardware probleempje. Er is niets (nieuws) gedownload wat infecties zou kunnen bevatten.
                            Lijkt mij ook de meest logische verklaring

                            Comment


                            • #15
                              We gaan op onderzoek uit en dan zien we wel wat het is.

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X