nog een logje

  • Onderwerp starter Onderwerp starter Wood
  • Startdatum Startdatum
Status
Niet open voor verdere reacties.
Wood

Wood

Gebruiker
Lid geworden
23 mrt 2002
Berichten
142
Hallo Helpmijers, heb grote problemen met PC
als iemand ff tijd heeft
bij voorbaat mijn dank
groeten Marcel

Logfile of HijackThis v1.98.2
Scan saved at 18:13:58, on 23-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe
C:\WINDOWS\System32\wuauclt32.exe
C:\WINDOWS\System32\qlgravo.exe
C:\WINDOWS\System32\btaxol.exe
C:\WINDOWS\System32\wupdt64.exe
C:\WINDOWS\System32\host32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnc.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://breedband.wanadoo.nl/conditions.php?OFFER=57708825&budget=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wanadoo.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [Automatic Updates] wuauclt32.exe
O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [nvviddrv32] qlgravo.exe
O4 - HKLM\..\Run: [BIOS XP Loader] btaxol.exe
O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
O4 - HKLM\..\RunServices: [Automatic Updates] wuauclt32.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [nvviddrv32] qlgravo.exe
O4 - HKLM\..\RunServices: [BIOS XP Loader] btaxol.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\RunServices: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\WIMENL~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKCU\..\Run: [Automatic Updates] wuauclt32.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKCU\..\Run: [BIOS XP Loader] btaxol.exe
O4 - HKCU\..\Run: [nvviddrv32] qlgravo.exe
O4 - HKCU\..\Run: [Win32 Sound Config] win32snd.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://breedband.wanadoo.nl/conditions.php?OFFER=57708825&budget=1
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7568bc31da07:20bd3955a42ba1a87a16f17897c4ded1
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095952223453
 
Geplaatst door Wood

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [Automatic Updates] wuauclt32.exe
O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [nvviddrv32] qlgravo.exe
O4 - HKLM\..\Run: [BIOS XP Loader] btaxol.exe
O4 - HKLM\..\Run: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
O4 - HKLM\..\RunServices: [Automatic Updates] wuauclt32.exe
O4 - HKLM\..\RunServices: [Windows Update] host32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [nvviddrv32] qlgravo.exe
O4 - HKLM\..\RunServices: [BIOS XP Loader] btaxol.exe
O4 - HKLM\..\RunServices: [System Uptime Server] sysentry32.exe
O4 - HKLM\..\RunServices: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\WIMENL~1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"
O4 - HKCU\..\Run: [Automatic Updates] wuauclt32.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKCU\..\Run: [BIOS XP Loader] btaxol.exe
O4 - HKCU\..\Run: [nvviddrv32] qlgravo.exe
O4 - HKCU\..\Run: [Win32 Sound Config] win32snd.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe
O4 - HKCU\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
O4 - HKCU\..\RunServices: [Windows DLL host] "C:\Documents and Settings\Wim en Lisette\winupd\winupd32.exe"

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7568bc31da07:20bd3955a42ba1a87a16f17897c4ded1
Klik om te vergroten...


Hoi Wood,

Een virusfestijn.:(

1. Scan met HijackThis, vink de bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus.
Mocht je niet weten hoe dat moet, kijk dan hier even: http://www.virushelp.nl/veilige_modus.htm

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.
Hier kun je lezen hoe dat moet: http://users.telenet.be/marcvn/spyware/1117602.htm

Verwijder nu, in veilige modus dus, de volgende bestanden en mappen:

Bestanden:
C:\WINDOWS\System32\wuauclt32.exe
C:\WINDOWS\System32\qlgravo.exe
C:\WINDOWS\System32\btaxol.exe
C:\WINDOWS\System32\wupdt64.exe
C:\WINDOWS\System32\host32.exe
C:\WINDOWS\system32\netclnc.exe

Mappen:
C:\Documents and Settings\Wim en Lisette\winupd
C:\Program Files\Windows SyncroAd
C:\Program Files\Web_Rebates

Leeg de map:

C:\Documents and Settings\Wim en Lisette\Local Settings\Temp <- alles wat in die map zit verwijderen

Doe, nog steeds in veilige modus, schijfopruiming: Start -> Alle programma's -> Bureau-accessoires -> Systeemwerkset -> Schijfopruiming. Het 'berekenen' kan even duren. Vink alle opties aan.

3. Herstart de pc in 'normale modus'.

4. Doe de online virusscan van Housecall: http://housecall.trendmicro.com/
Start daarna de pc opnieuw op.

5. Doe de online virusscan van Panda: http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Start daarna de pc opnieuw op.

6. Maak een nieuw HijackThis-log en plaats dat hier.
 
Hoi Buffy

Ik heb alles gedaan wat je vertelde zie nieuwe log

Logfile of HijackThis v1.98.2
Scan saved at 16:40:41, on 24-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\xp_sp1_nl.exe
d:\3cfd0\update\update.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://breedband.wanadoo.nl/conditions.php?OFFER=57708825&budget=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wanadoo.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://breedband.wanadoo.nl/conditions.php?OFFER=57708825&budget=1
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095952223453
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



Dit is wat de online virusscan van Panda nog vond alleen sommige heeft hij niet gedesinfecteerd kan ik die gewoon weggooien (zie logfile van pandaantivirus hieronder)

Incident Status Location

Virus:Trj/Multidropper.FE Disinfected C:\win2k3.exe
Virus:Trj/Small.AK Disinfected C:\WINDOWS\Config\mt.exe
Virus:Trj/Downloader.PF Disinfected C:\WINDOWS\Downloaded Program Files\v2.dll
Virus:Trj/Downloader.RY Disinfected C:\WINDOWS\gx9fzj83m9.exe
Virus:Trj/Small.AK Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2LAVCX8D\mt[1].exe
Virus:Trj/Small.AK Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z6ZS9SB\mt[1].exe
Virus:Trj/Small.AK Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z6ZS9SB\mt[2].exe
Virus:Trj/Multidropper.FE Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPY3AXM7\pb25[1].exe
Virus:Trj/Multidropper.EG No disinfected C:\WINDOWS\system32\config\systemprofile\winupd\pb25.exe[pk2.exe]
Virus:Exploit/Lsass.A No disinfected C:\WINDOWS\system32\config\systemprofile\winupd\pb25.exe[pk2.exe][sasser.dll]
Virus:Trj/Exdrop.A No disinfected C:\WINDOWS\system32\config\systemprofile\winupd\pb25.exe[pk2.exe][sbaanetapi.dll]
Virus:W32/Psybot.B.worm No disinfected C:\WINDOWS\system32\config\systemprofile\winupd\pb25.exe[pk3.exe][svcinstall.exe]
Virus:Trj/Exdrop.A Disinfected C:\WINDOWS\system32\config\systemprofile\winupd\sbaanetapi.dll
Virus:W32/Psybot.B.worm Disinfected C:\WINDOWS\system32\config\systemprofile\winupd\svcinstall.exe
Virus:W32/Psybot.A.worm Disinfected C:\WINDOWS\system32\config\systemprofile\winupd\winupd32.exe
Virus:Trj/Downloader.NN Disinfected C:\WINDOWS\system32\dl.vbs
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Multidropper.EG No disinfected C:\WINDOWS\system32\drivers\etc\winupd\pb25.exe[pk2.exe]
Virus:Exploit/Lsass.A No disinfected C:\WINDOWS\system32\drivers\etc\winupd\pb25.exe[pk2.exe][sasser.dll]
Virus:Trj/Exdrop.A No disinfected C:\WINDOWS\system32\drivers\etc\winupd\pb25.exe[pk2.exe][sbaanetapi.dll]
Virus:W32/Psybot.B.worm No disinfected C:\WINDOWS\system32\drivers\etc\winupd\pb25.exe[pk3.exe][svcinstall.exe]
Virus:Trj/Exdrop.A Disinfected C:\WINDOWS\system32\drivers\etc\winupd\sbaanetapi.dll
Virus:Trj/Exdrop.A Disinfected C:\WINDOWS\system32\drivers\etc\winupd\svcinstall.exe
Virus:Worm Generic.SD Disinfected C:\WINDOWS\system32\TFTP2720
bij voorbaat mijn dank en de groeten van Marcel
 
Hoi Wood,

Dat ziet er al veel beter uit.


1. Download en installeer PurgeIE: ftp://ftp.purgeie.com/purgp202.exe (directe downloadlink)

- Sluit Internet Explorer en je mailprogramma af.

- Start PurgeIE.

(Het ventertje met "Quick Start Information" mag je wegklikken.)

- Klik op de knop Set All Options 'On'.

- Verwijder het vinkje voor 'Run Plugins'.

- Klik op de knop Purge.

(Verschijnt er een mededeling over "Unprotected Cookies", klik dan "Continue".)

- Is PurgeIE klaar, klik dan Exit.


2. Herstart de pc in veilige modus.

Zorg ervoor dat verborgen bestanden en mappen worden weergegeven.

Kijk of de volgende mappen er nog zijn en, zo ja, verwijder die:

C:\WINDOWS\system32\config\systemprofile\winupd <- die map
C:\WINDOWS\system32\drivers\etc\winupd <- die map

3. Herstart de pc in normale modus.
 
Bedankt

Bedankt Buffy dat je ff de tijd hebt genomen om het uit te zoeken.

Alle ellende is nu volgens mij opgelost

vriendelijke groet

Marcel:D
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan