Virussen

[janto10]

er zijn virussen gevonden welke zijn dit precies

Results of Complete Test, date and time 23-7-2003 18:29:46 :

Testing C:\ volume WILL serial 043A-1AFA
C:\WINDOWS\GAME.EXE repaired
C:\WINDOWS\SYSTEM32\GAME.EXE repaired
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
C:\Program Files\Kazaa K++\DB\DATA256.DBB Cannot open; not checked!
C:\Program Files\Kazaa K++\DB\DATA1024.DBB Cannot open; not checked!
C:\Program Files\Spybot - Search & Destroy 1.1\RECOVERY\GoInDirect.zip:\goinunin.exe Trojan horse Dialer
C:\Mijn Gedeelde Map\Homeworld (full).zip.exe repaired
C:\Documents and Settings\WILL\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\WILL\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\WILL\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\WILL\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!

Test finished, duration 00:12:29.4 s
18476 objects tested, 4 found infected

 

[Tiborv]

Geplaatst door janto10
er zijn virussen gevonden welke zijn dit precies


C:\WINDOWS\GAME.EXE repaired
C:\WINDOWS\SYSTEM32\GAME.EXE repaired
C:\Program Files\Spybot - Search & Destroy 1.1\RECOVERY\GoInDirect.zip:\goinunin.exe Trojan horse Dialer
C:\Mijn Gedeelde Map\Homeworld (full).zip.exe repaired

Soort virus staat er niet bij, alleen dat het repaired is. Bij de derde regel wordt alleen aangegeven dat het een Trojan is, niet welke het is.

 

[janto10]

en die nt dat enzo

 

[Tiborv]

Staat er achter, not checked.. Welk antivirus programma gebruik je?

 

[gezina]

Scan eens met www.housecall.nl daarnaast kan je ook nog het volgende doen

 

[Pieter Arntz]

Geplaatst door janto10

C:\Program Files\Spybot - Search & Destroy 1.1\RECOVERY\GoInDirect.zip:\goinunin.exe Trojan horse Dialer

Is al verwijderd door Spybot S&D, want hij staat in de backups daarvan.

Groetjes,

Pieter

 

[janto10]

avg

ik gebruik avg

 

[Tiborv]

Geplaatst door Pieter Arntz
Is al verwijderd door Spybot S&D, want hij staat in de backups daarvan.

Inderdaad, niet opgevallen..

AVG ken ik niet, maar ik vind de log erg onvolledig, je zou haast verwachtten dat de boosdoener met name wordt genoemd in de log.

 

[janto10]

log

oke dit is me log:

Logfile of HijackThis v1.95.1
Scan saved at 20:25:00, on 23-7-2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Kazaa K++\Kazaa.kpp
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\sol.exe
C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Janto\Mijn documenten\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://websate.tux.nu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kranten.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://websate.tux.nu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program Files/MS-Connect/Portal/portal.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {00000012-890E-4AAC-AFD9-000000000000} - http://66.28.75.65/spinoff/fl/de_rotation/TeenPorn.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure9.cfxhosting.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.humorcash.nl/plugins/black/bla1/nl/nl.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/nl/deleon/1.1.54-deleon/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/1/009/nl.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37664.2139583333
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonreality.com/eonx/4_0_0/eonx.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

en dit is me startup
StartupList report, 23-7-2003, 20:25:26
StartupList version: 1.52
Started from : C:\Documents and Settings\Janto\Mijn documenten\Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Kazaa K++\Kazaa.kpp
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\sol.exe
C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Janto\Mijn documenten\Downloads\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\will\Menu Start\Programma's\Opstarten]
SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI file not found*
SCRNSAVE.EXE=*INI file not found*
drivers=*INI file not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe is MISSING!
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Register-editor'

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

Activater - (no file) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
(no name) - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Toepassing Optimalisatie Start.job
Symantec NetDetect.job
PCHealth-planner voor gegevensverzameling.job
Video Reminder.job

--------------------------------------------------

Enumerating Download Program Files:

[Win32 Classes]

[{00000012-890E-4AAC-AFD9-000000000000}]
CODEBASE = http://66.28.75.65/spinoff/fl/de_rotation/TeenPorn.exe

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\System32\MSJAVA.DLL
CODEBASE = https://secure9.cfxhosting.com/CFIDE/classes/CFJava.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\Shockwave 8\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{4E15D681-1D20-11D4-8B72-000021DA1956}]
CODEBASE = http://www.humorcash.nl/plugins/black/bla1/nl/nl.exe

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Google Activate]
InProcServer32 = c:\windows\downloaded program files\GoogleToolbar_nl_1.1.62-deleon.dll
CODEBASE = http://toolbar.google.com/data/nl/deleon/1.1.54-deleon/GoogleNav.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab

[DialXSCtl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\dialxs.ocx
CODEBASE = http://dialxs.nl/install/dialxs.ocx

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

[{9B4AA442-9EBF-11D5-8C11-0050DA4957F5}]
CODEBASE = http://www.cavello.com/dialxs/plugins/d/1/009/nl.exe

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37664.2139583333

[Tintel Class]
CODEBASE = http://exe.dialer.tintel.nl/tcw.cab

[EonX 3.0.0]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\eonx2.dll
CODEBASE = http://download.eonreality.com/eonx/4_0_0/eonx.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMAtchmt.ocx
CODEBASE = http://pv2fd.pav2.hotmail.msn.com/activex/HMAtchmt.ocx

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Omgeving voor AFD-netwerkondersteuning: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)
Services voor cryptografie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
Help en ondersteuning: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Net Logon: %SystemRoot%\System32\lsass.exe
Kerio Personal Firewall: "C:\Program Files\Kerio\Personal Firewall\persfw.exe" (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC-services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Thema's: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Uploadbeheer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Serienummer van draagbare media: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\will\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\will\LOCALS~1\Temp\GLB1A2B.EXE||C:\Program Files\iolo\System Mechanic\UNWISE.EXE||C:\Program Files\iolo\System Mechanic\Sysmech.GID||C:\Program Files\iolo\System Mechanic\Sysmech.FTS|||e

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 13.217 bytes
Report generated in 0,681 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Pieter Arntz]

Vink de onderstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://websate.tux.nu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://websate.tux.nu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program Files/MS-Connect/Portal/portal.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O16 - DPF: {00000012-890E-4AAC-AFD9-000000000000} - http://66.28.75.65/spinoff/fl/de_rotation/TeenPorn.exe
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.humorcash.nl/plugins/black/bla1/nl/nl.exe
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/1/009/nl.exe
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab

Als je het soort sites wilt blijven bezoeken waar het sterft van de dialers, zou ik, eerlijk gezegd, maar een paar centen spenderen aan een AntiVirus programma en een AntiTrojan programma.
AVG blinkt niet uit door zijn detectie van Trojans.
Kaspersky bijvoorbeeld wel.

Groetjes,

Pieter

 

[Pieter Arntz]

Overigens stonden alle vijf die dialers in SpywareBlaster's database en dat progje is gratis.

Groetjes,

Pieter

 

[janto10]

dit is echt vaag!!!!!

nou zitten er 2 trojans in system restore dir
Results of Complete Test, date and time 23-7-2003 21:11:17 :

Testing C:\ volume WILL serial 043A-1AFA
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
C:\Program Files\Spybot - Search & Destroy 1.1\RECOVERY\GoInDirect.zip:\goinunin.exe Trojan horse Dialer
C:\Documents and Settings\WILL\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\WILL\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\WILL\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\WILL\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\System Volume Information\_restore{58CEFC01-F230-4E57-906E-4BF7B2E180E9}\RP25\A0002626.EXE repaired
C:\System Volume Information\_restore{58CEFC01-F230-4E57-906E-4BF7B2E180E9}\RP25\A0002627.EXE repaired

Test finished, duration 00:09:13.9 s
17397 objects tested, 3 found infected

echt vaag waarom vondt die ze eerst niet dan ????

 

[janto10]

Alles is clean nou hoe zit het met de log wat kan weg en wat niet trouwens ik heb dat progje spywareblaster geinstalt


Groetjes

 

[Pieter Arntz]

Wat er weg mag in je log heb ik al gepost en je mag SpywareBlaster wel eens updaten of dat spul stond er al voor je het installeerde.

Groetjes,

Pieter

 

[saldos]

Re: dit is echt vaag!!!!!

Geplaatst door janto10
nou zitten er 2 trojans in system restore dir
Results of Complete Test..........

Test finished, duration 00:09:13.9 s
17397 objects tested, 3 found infected

echt vaag waarom vondt die ze eerst niet dan ????

janto10,


Een virus in de restore files is niet erg.
Ook als je niets doet, verdwijnd het virus vanzelf uit de resore map.

Reden dan je virus scanner de rerstore files niet scand is omdat een virus scanner niets kan veranderen aan de restore mappen.
Alleen online scans scannen de restore mappen.
Voor meer informatie daarover zie:

http://service1.symantec.com/SUPPOR...365d4251002f832085256b4300675d39?OpenDocument

Het virus kun je dus alleen verwijderen uit de restore directory door de restore functie uit te schakelen en daarna weer in te schakelen.

Zo schakel je de restore uit:

1. klik met de rechtermuisknop op Deze computer en klik op eigenschappen.
2. klik op het tabblad Systeemherstel.
3. zet een vinkje bij systeemherstel uitschakelen of bij systeemherstel voor alle schijven uitschakelen.
4. klik op toepassen.
5. klik op OK. Start opnieuw op.

Schakel daarna de restore weer aan.