Ga naar inhoud

[OPGELOST] TR/Vundo.GJ


Aanbevolen berichten

ik snap niet wat je bedoelt met "dit zal combofix doen herstarten", wat moet ik precies met dat kladblok bestand doen als ik het vetgedrukte daar in plak?
Sorry, foutje van mij :bawling:Heb een stukje tekst vergeten te plakken na die tekst : dit is de goede versie (en dan zal je wel duidelijk worden wat je moet doen) :

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

Link naar reactie
Delen op andere sites

Yes, er komen geen virusmeldingen meer :) moet ik nu ATFcleaner downloaden?

dit zijn de logs:

ComboFix 08-05-15.3 - WART 2008-05-18 20:04:37.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.233 [GMT 2:00]

Gestart vanuit: C:\Documents and Settings\WART\Bureaublad\ComboFix.exe

Command switches used :: C:\Documents and Settings\WART\Bureaublad\CFScript.txt

* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::

C:\Temp\oRUsa080.exe

C:\WINDOWS\system32\hgGxYRlL.dll

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Temp\kvebs14

C:\Temp\kvebs14\zvKarru.log

C:\Temp\oRUsa080.exe

C:\Temp\zvebs14

C:\VundoFix Backups

C:\WINDOWS\system32\hgGxYRlL.dll

C:\WINDOWS\system32\mp

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-04-18 to 2008-05-18 ))))))))))))))))))))))))))))))

.

2008-05-14 20:48 . 2008-05-14 20:48 <DIR> d-------- C:\Program Files\Trend Micro

2008-05-07 13:20 . 2008-05-07 13:20 <DIR> d-------- C:\Program Files\Sun

2008-04-23 15:58 . 2008-04-23 15:58 <DIR> d-------- C:\Documents and Settings\WART\Application Data\SPAMfighter

2008-04-23 15:57 . 2008-04-23 15:57 <DIR> d-------- C:\Program Files\Common Files\Ankiro

2008-04-23 15:56 . 2008-05-18 20:10 <DIR> d-------- C:\Program Files\SPAMfighter

2008-04-23 15:56 . 2008-04-23 15:56 <DIR> d-------- C:\Program Files\Common Files\Application

2008-04-23 14:34 . 2008-05-01 14:00 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-23 14:34 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-23 14:34 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-23 14:34 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-23 14:34 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-23 14:33 . 2008-04-30 19:59 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Documents and Settings\WART\Application Data\PC Tools

2008-04-23 14:15 . 2008-04-23 14:15 <DIR> d-------- C:\Documents and Settings\LocalService\Mijn documenten

2008-04-23 14:09 . 2008-04-23 14:09 <DIR> d-------- C:\WINDOWS\system32\Bn

2008-04-23 14:08 . 2008-04-23 14:08 <DIR> d-------- C:\WINDOWS\system32\pnVes05

2008-04-23 14:08 . 2008-05-18 20:05 <DIR> d-------- C:\Temp

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-18 18:10 --------- d-----w C:\Program Files\Steam

2008-05-16 17:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-05-07 11:20 --------- d-----w C:\Program Files\Java

2008-05-04 21:06 --------- d-----w C:\Program Files\Soulseek

2008-04-23 11:38 --------- d-----w C:\Documents and Settings\WART\Application Data\LimeWire

2008-04-07 15:23 --------- d-----w C:\Program Files\Azureus

2008-04-07 15:22 --------- d-----w C:\Documents and Settings\WART\Application Data\Azureus

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:10 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2007-09-20 18:55 20,888 ----a-w C:\Documents and Settings\WART\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((( snapshot@2008-05-18_15.45.23,87 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-18 13:29:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-18 18:09:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:03 15360]

"Steam"="c:\program files\steam\steam.exe" [2008-03-28 20:06 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]

"nwiz"="nwiz.exe" [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 15:29 86016]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]

"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 20:45 262401]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 10:53 188416]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2008-02-26 11:10 317072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:03 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxYRlL]

hgGxYRlL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.X264"= x264vfw.dll

"vidc.hfyu"= huffyuv.dll

"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

--a------ 2006-04-30 20:35 516096 C:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\Program Files\\Azureus\\Azureus.exe"=

"C:\\Program Files\\Soulseek\\slsk.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\Steam\\steamapps\\hasj_en_wietje@pandora.be\\counter-strike\\hl.exe"=

"C:\\Program Files\\Quake III Arena\\quake3.exe"=

"C:\\Program Files\\Steam\\steamapps\\den_emile@hotmail.com\\counter-strike\\hl.exe"=

"C:\\Program Files\\Steam\\steamapps\\boonenjeroen@hotmail.com\\counter-strike\\hl.exe"=

R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2008-02-26 11:10]

S3 Camdrv30;Philips ToUcam XS;C:\WINDOWS\system32\Drivers\camdrv30.sys [2001-08-17 23:04]

.

Inhoud van de 'Gedeelde Taken' map

"2008-03-25 12:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-18 20:10:10

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\msiexec.exe

.

**************************************************************************

.

Voltooingstijd: 2008-05-18 20:13:33 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-18 18:13:28

ComboFix2.txt 2008-05-18 13:46:29

Pre-Run: 10,846,302,208 bytes beschikbaar

Post-Run: 10,862,100,480 bytes beschikbaar

138 --- E O F --- 2008-05-16 19:38:14

hjt:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:20:12, on 18/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SPAMfighter\sfus.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146421881357

O20 - Winlogon Notify: hgGxYRlL - hgGxYRlL.dll (file missing)

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

--

End of file - 5262 bytes

is het nu opgelost, of moet ik nog iets doen?

Link naar reactie
Delen op andere sites

Laat die ATF Cleaner nu maar, we gaan wat meer en steviger opruimen.

Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

O20 - Winlogon Notify: hgGxYRlL - hgGxYRlL.dll (file missing)

Klik op 'Fix checked' om de items te verwijderen.

Verwijder Combofix: Start -> Uitvoeren en typ: combofix /u

Combofix wordt verwijderd en een nieuw systeemherstelpunt wordt aangemaakt.

Download CCleaner.

Installeer het en start het op. Start CCleaner op en klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Opschonen'. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scannen voor fouten’. Als er fouten gevonden worden klik je op ”alle fouten herstellen” en ”OK”. Sluit hierna CCleaner terug af.

Het is aangewezen om de bestaande herstelpunten te verwijderen (daar zitten besmette herstelpunten tussen die je eventueel zou kunnen terugzetten) door systeemherstel tijdelijk uit te schakelen. Doe dit via Start -> Configuratiescherm -> Systeem -> Systeemherstel -> "Systeemherstel op alle stations uitschakelen" aanvinken. Toepassen en OK. PC herstarten en het vinkje terug weg halen.

That's it !

Link naar reactie
Delen op andere sites

Gast
Dit topic is nu gesloten voor nieuwe reacties.
×
×
  • Nieuwe aanmaken...

Belangrijke informatie

We hebben cookies geplaatst op je toestel om deze website voor jou beter te kunnen maken. Je kunt de cookie instellingen aanpassen, anders gaan we er van uit dat het goed is om verder te gaan.