Virus win32.HomeKeyLogger.170

[smallcat]

Ik heb sinds kort Kaspersky Anti-virus. Hij detecteert win32.HomeKeyLogger.170. Het lukte niet om dit te desinfecteren en ook niet om het te verwijderen. Hij blijft met deze melding komen.

Ik heb bij Virusalert gecheckt wat voor virus dit moet zijn, maar is daar niet bekend.

Tevens een online-scanning gedaan en dan wordt ie niet gedetecteerd.

Weet iemand hier wat van?

 

[tyron]

tyron

http://www.google.com/search?q=win32.HomeKeyLogger.170

meschien heb je hier wat aan.

groeten tyron

 

[Tanja1968]

Is volgens mij geen virus, maar een programma http://www.softpile.com/Utilities/Security/Review_13819_index.html

 

[Pieter Arntz]

Inderdaad, maar als je het niet zelf geinstalleerd hebt en het is wel jouw computer:
Download HijackThis. Uitleg en link vind je hier: http://www.tomcoyote.org/hjt/
Unzip en run het. Klik op Scan > Save log en sla het log op als een .txt bestand.
Kopieer en plak de inhoud in je volgende post.
Fix nog niets, het meeste heb je gewoon nodig.

Groetjes,

Pieter

 

[smallcat]

Hallo Pieter,

Ik weet niet van welke datum jouw bericht is, maar ik zag het pas vanavond.
Onderstaand mijn logfile. Een hele lijst.

Logfile of HijackThis v1.97.7
Scan saved at 22:45:28, on 10-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashserv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
D:\Program Files\NetPumper\NetPumperIEProxy.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Elaborate Bytes\CloneCD\CloneCDTray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
D:\WINDOWS\System32\ctfmon.exe
E:\INCRED~1\bin\IncMail.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
D:\Program Files\WinZip\WZQKPICK.EXE
E:\PVSW\Bin\W3DBSMGR.EXE
D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Felix.exe
E:\Digital Image\Monitor.exe
E:\Psion\PsiWin\CLIPSYNC.EXE
E:\Webshots\WebshotsTray.exe
D:\Program Files\Jasc Software Inc\Paint Shop Photo Album\pspa.exe
D:\Program Files\Internet Explorer\iexplore.exe
E:\Psion\PsiWin\PSCONSV.EXE
D:\Program Files\VCOM\PowerDesk\pdexplo.exe
D:\DOCUME~1\JOS&IN~1\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/r/internal/start/client/RAND
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.webshots.com/r/internal/start/client/RAND
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zero Popup - {2EF37A01-884F-11d5-AC99-B112050ECB4F} - D:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NetPumper] "D:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "E:\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "E:\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [ScreenPrint32] E:\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avast!] D:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] D:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DXM6Patch_981116] D:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [IW ControlCenter] D:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [VOBID] D:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] E:\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Webshots.lnk = E:\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = E:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: Felix.exe
O4 - Global Startup: Monitor.lnk = ?
O4 - Global Startup: PsiWin 2.2 Connection Server.lnk = E:\Psion\PsiWin\PSCONSV.EXE
O4 - Global Startup: CopyAnywhere.lnk = E:\Psion\PsiWin\CLIPSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Event Reminder.lnk = E:\Broderbund\PrintMaster\PMremind.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - E:\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://D:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Aanpassen &Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Backward &Links - res://D:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - D:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: InvulFormulieren &] - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Opslaan Formulieren &^ - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Si&milar Pages - res://D:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: InvulFormulieren (HKLM)
O9 - Extra 'Tools' menuitem: InvulFormulieren &] (HKLM)
O9 - Extra button: Opslaan (HKLM)
O9 - Extra 'Tools' menuitem: Opslaan Formulieren &^ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk &2 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://virusscan.zdnet.nl/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37733.3432986111
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -
http://a532.g.akamai.net/f/532/6712/1d/player.virtools.com/downloads/player/Install2.1/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.gofoto.nl/_activeX/XUpload.ocx
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5917B82-BE69-4630-BBE1-94C4EEA47215}: NameServer = 195.121.1.34 195.121.1.66

 

[Pieter Arntz]

Hoi smallcat,

Vink de onderstaande items aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com

O4 - HKLM\..\Run: [DXM6Patch_981116] D:\WINDOWS\p_981116.exe /Q:A

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - Global Startup: Felix.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binari...TML_pack_XP.cab

Start dan opnieuw op, liest in veilige modus en verwijder het bestand dat door KAV herkend werd.

Ik zie trouwens dat je ondertussen geswitched bent van KAV naar Avast.

Groetjes,

Pieter

 

[smallcat]

Hallo Pieter,

Precies gedaan wat je hebt gezegd. Helemaal gelukt!
Hardstikke bedankt!

Met groet,
Ineke

 

[Pieter Arntz]

Graag gedaan.

Pieter