Ga naar inhoud

[OPGELOST] taakbalk sluit af+zeer traag


Aanbevolen berichten

Geplaatst:

Oei … lang geleden dat ik nog een PC met zo’n pak rotzooi heb onder ogen gekregen. Die Combofix heeft behoorlijk huisgehouden en al flink wat opgekuist. Maar er is nog wat werk aan de winkel. Wil je nu alles wat hieronder staat eerst even uitvoeren en daarbij een aantal nieuwe logs maken.

Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\system32\bpkwb.dll (file missing)

O2 - BHO: (no name) - {7ACED46D-F203-443D-BD06-1622E7FCF7D5} - C:\WINDOWS\system32\ctl3dv.dll

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKLM\..\Run: [bpk] C:\WINDOWS\system32\bpk.exe

Klik op 'Fix checked' om de items te verwijderen.

Die keylogger is toch één van de oorzaken van een deel van je problemen. Dus zal je hem toch moeten opkuisen. Kan je hem via Software verwijderen, dan is dit perfect. Zo niet, het vetgedrukte bestand verwijderen via Verkenner

C:\WINDOWS\system32\bpk.exe

Verwijder ook alvast de Messenger Plus van deze PC via Configuratiescherm > Software. Deze is geinstalleerd met rotzooi erin. Wacht nog even vooraleer je deze terug installeert (zonder de spyware) tot deze PC terug in orde is en dan kan je de Messenger (zonder extra publiciteit) terug downloaden.

Download SmitfraudFix.zip. Pak het uit naar je bureaublad.

Start je PC op in Veilige Modus, open de map SmitfraudFix en dubbelklik op Smitfraudfix.cmd.

Kies optie 2 (Clean) om alle besmette bestanden te laten verwijderen. Als er gevraagd wordt om het register op te kuisen, sta je dit toe.

Er wordt ook onderzocht of het bestandje wininet.dll besmet is. Indien dit het geval is, zal je de vraag krijgen om deze te vervangen. Type dan Y in achter de prompt en druk op Enter. De kans bestaat dat je PC herstart wordt in normale modus. Is dit niet het geval doe je dit handmatig zodat het zijn taak volledig kan uitvoeren.

Er zal een tekstbestandje openen met de resultaten van de fix. (c:\rapport.txt). Sla dit op je bureaublad op.

Herstart de computer in normale modus.

Laat opnieuw Combofix los op je PC.

Nu graag volgende rapporten en logs in een volgende bericht posten :

-rapport van Smitfraud

-een nieuw log van HiJackThis

-het nieuwe log van Combofix

  • Reacties 56
  • Aangemaakt
  • Laatste reactie

Beste reacties in dit topic

Beste reacties in dit topic

Geplaatst:

O2 - BHO: (no name) - {7ACED46D-F203-443D-BD06-1622E7FCF7D5} - C:\WINDOWS\system32\ctl3dv.dll

Krijg ik niet verwijderd want elke keer als ik dan op FIX CHECKED druk dan krijg ik deze error: Hijack is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer windows AND all windows explorer windows before........

Geplaatst:

Doe gewoon even verder met al de rest en dan kijken we wel wat er nog (eventueel) niet lukt. Meldt dat dan ook in je volgende bericht bij de logjes.

Geplaatst:

Hijack

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:05:29, on 25-1-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Norton Internet Security\ISSVC.exe

c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVWUPSRV.EXE

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\ALCWZRD.EXE

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {7ACED46D-F203-443D-BD06-1622E7FCF7D5} - C:\WINDOWS\system32\ctl3dv.dll

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [urlLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--

End of file - 5130 bytes

Combofix

ComboFix 08-01-23.1B - Compaq_Eigenaar 2008-01-25 12:27:38.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.710 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Compaq_Eigenaar\Mijn documenten\PC leeg maken\ComboFix.exe

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\ctl3dv.dll . . . . konden niet verwijderd worden

.

(((((((((((((((((((( Bestanden Gemaakt van 2007-12-25 to 2008-01-25 ))))))))))))))))))))))))))))))

.

2008-01-25 12:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-25 12:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-25 12:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-25 12:06 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-25 12:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-25 12:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-25 12:06 . 2008-01-25 12:06 2,300 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-24 23:40 . 2008-01-24 23:40 <DIR> d-------- C:\Program Files\CodeStuff

2008-01-24 23:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe

2008-01-24 21:05 . 2008-01-24 21:06 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-01-24 21:05 . 2008-01-24 21:05 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-01-24 19:35 . 2008-01-24 19:35 103,936 --a------ C:\WINDOWS\system32\drvnep.dll

2008-01-24 19:35 . 2008-01-24 19:35 3,584 --a------ C:\asswegsh.exe

2008-01-24 19:13 . 2008-01-24 19:36 <DIR> d-------- C:\RVAXO

2008-01-24 19:07 . 2008-01-24 19:12 626,383 --a------ C:\WINDOWS\system32\RVAXO.bat

2008-01-24 19:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe

2008-01-24 14:56 . 2008-01-24 14:56 <DIR> d-------- C:\Program Files\iPod

2008-01-24 14:46 . 2008-01-24 20:09 <DIR> d-------- C:\Program Files\Wyzo

2008-01-21 17:00 . 2008-01-24 23:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-21 17:00 . 2008-01-24 14:57 1,409 --a------ C:\WINDOWS\QTFont.for

2008-01-21 16:56 . 2008-01-21 16:56 <DIR> d-------- C:\Program Files\DAEMON Tools

2008-01-21 16:54 . 2008-01-21 16:54 <DIR> d-------- C:\Program Files\SymNetDrv

2008-01-21 16:49 . 2008-01-21 16:49 <DIR> d-------- C:\Compaq_Eigenaar

2008-01-18 13:37 . 2008-01-21 16:49 <DIR> d-------- C:\Program Files\Activision(3)

2008-01-16 23:37 . 2008-01-16 23:37 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-01-15 18:48 . 2008-01-16 18:03 <DIR> d-------- C:\WINDOWS\system32\nl-nl

2008-01-13 18:34 . 2008-01-13 18:34 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-10 20:11 . 2008-01-21 16:53 <DIR> d-------- C:\Program Files\Activision

2008-01-10 14:27 . 2008-01-21 21:27 <DIR> d-------- C:\Program Files\Xfire

2007-12-27 22:46 . 2008-01-18 13:37 <DIR> d-------- C:\Program Files\ES - Eather Server Vista Client V2.0

2007-12-27 19:52 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2007-12-27 19:52 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys

2007-12-27 19:51 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2007-12-27 19:51 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-24 21:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-24 20:06 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-01-24 17:59 --------- d-----w C:\Program Files\AVPersonal

2008-01-24 13:34 --------- d-----w C:\Program Files\Java

2008-01-23 15:49 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-23 15:49 --------- d-----w C:\Program Files\Full Tilt Poker

2008-01-21 15:54 --------- d-----w C:\Program Files\Symantec

2008-01-21 15:53 --------- d-----w C:\Program Files\Hitman Pro

2008-01-21 15:48 --------- d-----w C:\Program Files\KalOnlineEng

2008-01-10 18:42 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys

2008-01-10 18:42 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys

2007-12-28 09:49 --------- d-----w C:\Program Files\Guild Wars

2007-12-22 11:01 --------- d-----w C:\Program Files\iTunes

2007-12-22 10:59 --------- d-----w C:\Program Files\QuickTime

2007-12-22 10:57 --------- d-----w C:\Program Files\Apple Software Update

2007-12-06 19:06 19,456 ----a-w C:\WINDOWS\system32\drivers\kpihvhgk.dat

2007-11-28 16:26 --------- d-----w C:\Program Files\e-texaspoker client

2005-07-29 14:24 472 -csha-r C:\WINDOWS\TWFyayBOb3JicnVpcw\nqIVuV1ivaL2wBpDwT.vbs

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACED46D-F203-443D-BD06-1622E7FCF7D5}]

2004-08-04 13:00 103680 --a------ C:\WINDOWS\system32\ctl3dv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 20:13 98304]

"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 01:29 33936]

"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-02-21 17:22 58984]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 12:51 100056]

"RAMDrive"="C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe" [ ]

"AlcWzrd"="ALCWZRD.EXE" [2005-02-18 21:32 2754560 C:\WINDOWS\ALCWZRD.EXE]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54 253952]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="LogonUI.EXE"

R0 xsqynnyk;xsqynnyk;C:\WINDOWS\system32\drivers\kpihvhgk.dat []

R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE" [2005-10-13 16:32]

S3 hitmanpro2;Hitman Pro 2 Driver;C:\Program Files\Hitman Pro\hitmanpro2.sys [2006-11-03 12:02]

S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71bc2f1c-8726-11dc-ade9-0013d42048e4}]

\Shell\AutoRun\command - O:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

"2007-12-22 10:57:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-18 14:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"

- C:\Program Files\Norton Security Scan\Nss.exe

"2005-01-02 00:12:46 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-25 12:35:04

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

Voltooingstijd: 2008-01-25 12:38:37 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-25 11:38:34

ComboFix2.txt 2008-01-24 22:39:21

.

2008-01-22 02:29:34 --- E O F ---

SmitFraud Fix

SmitFraudFix v2.274

Scan done at 12:06:37,92, vr 25-01-2008

Run from C:\Documents and Settings\Compaq_Eigenaar\Bureaublad\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A38127F-D3C2-4DC9-8FCC-B645E11067CA}: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS1\Services\Tcpip\..\{4A38127F-D3C2-4DC9-8FCC-B645E11067CA}: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS3\Services\Tcpip\..\{4A38127F-D3C2-4DC9-8FCC-B645E11067CA}: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=195.121.1.34 195.121.1.66

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Geplaatst:

We zijn er bijna (hoop ik).

Open Kladblok, kopiëer en plak de volgende vetgedrukte tekst in een leeg venster:

File::

C:\WINDOWS\system32\ctl3dv.dll

C:\WINDOWS\system32\RVAXO.bat

C:\WINDOWS\system32\drvnep.dll

C:\asswegsh.exe

C:\WINDOWS\system32\drivers\kpihvhgk.dat

Folder::

C:\RVAXO

Registry::

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACED46D-F203-443D-BD06-1622E7FCF7D5}]

Sla dit op op je Bureaublad als CFScript.txt

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten.

Start opnieuw op als daarom gevraagd wordt.

Er zitten nog sporen van twee andere pokerprogramma’s in de logs :

C:\Program Files\Full Tilt Poker

C:\Program Files\e-texaspoker client

Als je deze twee niet gebruikt mag je beide mappen kopiëren en mee in het kladblok plakken in de rubriek “Folder::”

Download CCleaner.

Installeer het en start het op. Klik in de linkse kolom op “Opties” . Selecteer het tabblad ‘Geavanceerd’ en haal het vinkje weg voor “Verwijder alleen tijdelijke bestanden in de Windows systeemmap die ouder zijn dan 48 uur” en sluit hierna het programma.

Start CCleaner op en klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Problemen” en klik op ‘Scannen voor fouten’. Als er fouten gevonden worden klik je op ”alle fouten herstellen” en ”OK”. Sluit hierna CCleaner terug af..

Post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje en laat eens horen hoe het nu allemaal werkt.

Geplaatst:

ComboFix 08-01-23.1C - Compaq_Eigenaar 2008-01-25 18:35:48.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.693 [GMT 1:00]

Gestart vanuit: C:\Documents and Settings\Compaq_Eigenaar\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\Compaq_Eigenaar\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

FILE

C:\asswegsh.exe

C:\WINDOWS\system32\ctl3dv.dll

C:\WINDOWS\system32\drivers\kpihvhgk.dat

C:\WINDOWS\system32\drvnep.dll

C:\WINDOWS\system32\RVAXO.bat

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\asswegsh.exe

C:\Program Files\e-texaspoker client

C:\Program Files\e-texaspoker client\key.txt

C:\Program Files\Full Tilt Poker

C:\Program Files\Full Tilt Poker\Cache\42D4EB830001.dc

C:\Program Files\Full Tilt Poker\Markioso.dat

C:\RVAXO

C:\RVAXO\qmgr0.dat

C:\RVAXO\results.log

C:\WINDOWS\system32\ctl3dv.dll

C:\WINDOWS\system32\drivers\kpihvhgk.dat

C:\WINDOWS\system32\drvnep.dll

C:\WINDOWS\system32\RVAXO.bat

.

(((((((((((((((((((( Bestanden Gemaakt van 2007-12-25 to 2008-01-25 ))))))))))))))))))))))))))))))

.

2008-01-25 12:06 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-25 12:06 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-25 12:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-25 12:06 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-25 12:06 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-25 12:06 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-25 12:06 . 2008-01-25 12:06 2,300 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-24 23:40 . 2008-01-24 23:40 <DIR> d-------- C:\Program Files\CodeStuff

2008-01-24 23:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe

2008-01-24 21:05 . 2008-01-25 14:11 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2008-01-24 21:05 . 2008-01-24 21:05 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2008-01-24 19:07 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe

2008-01-24 14:56 . 2008-01-24 14:56 <DIR> d-------- C:\Program Files\iPod

2008-01-24 14:46 . 2008-01-24 20:09 <DIR> d-------- C:\Program Files\Wyzo

2008-01-21 17:00 . 2008-01-24 23:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-21 17:00 . 2008-01-24 14:57 1,409 --a------ C:\WINDOWS\QTFont.for

2008-01-21 16:56 . 2008-01-21 16:56 <DIR> d-------- C:\Program Files\DAEMON Tools

2008-01-21 16:54 . 2008-01-21 16:54 <DIR> d-------- C:\Program Files\SymNetDrv

2008-01-21 16:49 . 2008-01-21 16:49 <DIR> d-------- C:\Compaq_Eigenaar

2008-01-18 13:37 . 2008-01-21 16:49 <DIR> d-------- C:\Program Files\Activision(3)

2008-01-16 23:37 . 2008-01-16 23:37 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-01-15 18:48 . 2008-01-16 18:03 <DIR> d-------- C:\WINDOWS\system32\nl-nl

2008-01-13 18:34 . 2008-01-13 18:34 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-10 20:11 . 2008-01-21 16:53 <DIR> d-------- C:\Program Files\Activision

2008-01-10 14:27 . 2008-01-25 15:01 <DIR> d-------- C:\Program Files\Xfire

2007-12-27 22:46 . 2008-01-18 13:37 <DIR> d-------- C:\Program Files\ES - Eather Server Vista Client V2.0

2007-12-27 19:52 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2007-12-27 19:52 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys

2007-12-27 19:51 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2007-12-27 19:51 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-25 13:11 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-01-24 21:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-24 17:59 --------- d-----w C:\Program Files\AVPersonal

2008-01-24 13:34 --------- d-----w C:\Program Files\Java

2008-01-23 15:49 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-21 15:54 --------- d-----w C:\Program Files\Symantec

2008-01-21 15:53 --------- d-----w C:\Program Files\Hitman Pro

2008-01-21 15:48 --------- d-----w C:\Program Files\KalOnlineEng

2008-01-10 18:42 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys

2008-01-10 18:42 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys

2007-12-28 09:49 --------- d-----w C:\Program Files\Guild Wars

2007-12-22 11:01 --------- d-----w C:\Program Files\iTunes

2007-12-22 10:59 --------- d-----w C:\Program Files\QuickTime

2007-12-22 10:57 --------- d-----w C:\Program Files\Apple Software Update

2005-07-29 14:24 472 -csha-r C:\WINDOWS\TWFyayBOb3JicnVpcw\nqIVuV1ivaL2wBpDwT.vbs

.

((((((((((((((((((((((((((((( snapshot@2008-01-24_23.39.03.59 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-24 22:19:12 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-25 17:35:09 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-24 22:19:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-25 17:35:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-24 22:19:12 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-25 17:35:09 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-24 22:19:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-25 17:35:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-24 22:19:12 5,689,344 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat

+ 2008-01-25 17:35:09 5,689,344 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat

- 2008-01-24 22:19:12 192,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-25 17:35:09 188,416 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 20:13 98304]

"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 01:29 33936]

"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-02-21 17:22 58984]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 12:51 100056]

"RAMDrive"="C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe" [ ]

"AlcWzrd"="ALCWZRD.EXE" [2005-02-18 21:32 2754560 C:\WINDOWS\ALCWZRD.EXE]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54 253952]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34 6729728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="LogonUI.EXE"

R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE" [2005-10-13 16:32]

S0 xsqynnyk;xsqynnyk;C:\WINDOWS\system32\drivers\kpihvhgk.dat []

S3 hitmanpro2;Hitman Pro 2 Driver;C:\Program Files\Hitman Pro\hitmanpro2.sys [2006-11-03 12:02]

S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71bc2f1c-8726-11dc-ade9-0013d42048e4}]

\Shell\AutoRun\command - O:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

"2007-12-22 10:57:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-25 14:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"

- C:\Program Files\Norton Security Scan\Nss.exe

"2005-01-02 00:12:46 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-25 18:42:37

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

Voltooingstijd: 2008-01-25 18:45:57 - machine was rebooted [Compaq_Eigenaar]

ComboFix-quarantined-files.txt 2008-01-25 17:45:55

ComboFix2.txt 2008-01-25 11:38:37

ComboFix3.txt 2008-01-24 22:39:21

.

2008-01-22 02:29:34 --- E O F ---

M'n PC word sneller en sneller ! top man

Geplaatst:
Klik vervolgens in de linkse kolom op “Problemen” en klik op ‘Scannen voor fouten’. Als er fouten gevonden worden klik je op ”alle fouten herstellen” en ”OK”. Sluit hierna CCleaner terug af..

in de linker kolom staat bij mij alleen : - Cleaner

- Register

- Gereedschap

- Opties

dus geen 'programma's'

?

Geplaatst:

Hijack This

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:23:57, on 25-1-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Norton Internet Security\ISSVC.exe

c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVWUPSRV.EXE

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Wyzo\wyzo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [urlLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\RunOnce: [aero] RunDll32.exe shell32.dll,Control_RunDLL desk.cpl,,2

O4 - HKLM\..\RunOnce: [cleartmp] C:\WINDOWS\System32\cleartmp.bat

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)

O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--

End of file - 5203 bytes

Geplaatst:

In CCleaner : mag je het woordje "problemen" vervangen door "register" : foutje, sorry ;) en dan gewoon uitvoeren wat er beschreven is.

Wat mij betreft zijn we er door ... tenzij jij nog hier of daar een probleem te melden hebt. Blijft voor mij de onbeantwoorde vraag hoe je zo zwaar besmet bent geraakt, terwijl je toch een Norton Internet Security op je PC zitten hebben. Maar dat zullen wel de wonderen van de computerwereld zijn :)

Gast
Dit topic is nu gesloten voor nieuwe reacties.

×
×
  • Nieuwe aanmaken...

Belangrijke informatie

We hebben cookies geplaatst op je toestel om deze website voor jou beter te kunnen maken. Je kunt de cookie instellingen aanpassen, anders gaan we er van uit dat het goed is om verder te gaan.