Trojan.vundo

[anoniem]

Ik heb gisteren tijdens het scannen van mijn pc een trojan.vundo gevonden in mijn system32 map. Ik heb het virus in quarantine laten plaatsen en vandaag naar nog meer gezocht. Ook kan ik mijn Taakbeheer niet opstarten. Op moment van schrijven ben ik aan het scannen met SUPERAntiSpyware en heb ik een hijackthis log gemaakt. Logfile of HijackThis v1.99.1 Scan saved at 11:53:56, on 1-5-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam10\QuickCam10.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Documents and Settings\Admin\svchost.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\DAEMON Tools\daemon.exe C:\FILMS\FRAPS\FRAPS.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\tcntrkdm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\@Home veiligheid\AntiVirus\pavexsc.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\limewire\limewire.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Diversen\HijackThis.exe C:\WINDOWS\system32\rundll32.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\@Home veiligheid\AntiVirus\AVRealTime.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Admin\svchost.exe O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntrkdm.exe DWram O4 - HKLM\..\Run: [BM538ace70] Rundll32.exe "C:\WINDOWS\system32\pwfnpetw.dll",s O4 - HKLM\..\RunServices: [WatchDog] C:\Program Files\WatchDog\watchdog.exe /. O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [Fraps] C:\FILMS\FRAPS\FRAPS.EXE O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntrkdm.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe O4 - Startup: Xfire.lnk = C:\Spellen\Xfire\Xfire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C97E62-F9EC-4C2D-A05B-CE1040177F03}: NameServer = 213.51.144.37,213.51.129.37 O17 - HKLM\System\CS1\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.128.37 O17 - HKLM\System\CS2\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37 O17 - HKLM\System\CS3\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37 O17 - HKLM\System\CS4\Services\Tcpip\..\{5C64622A-E521-4E3C-BB5A-A704DC61E04A}: NameServer = 213.51.144.37,213.51.129.37 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Zijn er fouten in mijn hijackthis logje, en moet ik naast SUPERAntiSpyware ook nog met een ander programma gaan scannen om van deze virus af te komen. Alvast bedankt.

[anoniem]

Voordat ik ComboFix gebruikte heb ik mijn pc gescand met SUPERAntiSpyware. Ik zal hieronder het logje van die scansessie plaatsen zodat daar enige fouten in opgespoort kunnen worden, aangezien ik zag dat er een paar windows files als virus werden aangezien. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/01/2008 at 02:20 PM Application Version : 3.9.1008 Core Rules Database Version : 3451 Trace Rules Database Version: 1443 Scan type : Complete Scan Total Scan Time : 02:48:08 Memory items scanned : 583 Memory threats detected : 4 Registry items scanned : 5595 Registry threats detected : 26 File items scanned : 56932 File threats detected : 84 Trojan.Vundo-Variant/F C:\WINDOWS\SYSTEM32\VTUKHIXX.DLL C:\WINDOWS\SYSTEM32\VTUKHIXX.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} HKCR\CLSID\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} HKCR\CLSID\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}\InprocServer32 HKCR\CLSID\{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BC7D8DE8-EF3D-4F44-8B54-03759FAC1367} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtUkhIxx C:\WINDOWS\SYSTEM32\ICWNFKVC.DLL Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\QOMCDCTN.DLL C:\WINDOWS\SYSTEM32\QOMCDCTN.DLL Trojan.Unclassified/SVCHost-Fake C:\DOCUMENTS AND SETTINGS\ADMIN\SVCHOST.EXE C:\DOCUMENTS AND SETTINGS\ADMIN\SVCHOST.EXE [Host Process] C:\DOCUMENTS AND SETTINGS\ADMIN\SVCHOST.EXE C:\WINDOWS\Prefetch\SVCHOST.EXE-214034E9.pf Adware.DeeWoo/ThinkAdz C:\WINDOWS\SYSTEM32\TCNTRKDM.EXE C:\WINDOWS\SYSTEM32\TCNTRKDM.EXE [ExploreUpdSched] C:\WINDOWS\SYSTEM32\TCNTRKDM.EXE C:\DOCUMENTS AND SETTINGS\ADMIN\MENU START\PROGRAMMA'S\OPSTARTEN\DEEWOO.LNK C:\SYSTEM VOLUME INFORMATION\_RESTORE{78662271-AE52-4BDA-AE35-D10CE5C867E0}\RP9\A0004219.LNK C:\WINDOWS\Prefetch\TCNTRKDM.EXE-2832694E.pf Adware.Vundo-Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54FFD686-C0E1-4C0D-B3DE-52A53563576B} HKCR\CLSID\{54FFD686-C0E1-4C0D-B3DE-52A53563576B} HKCR\CLSID\{54FFD686-C0E1-4C0D-B3DE-52A53563576B}\InprocServer32 HKCR\CLSID\{54FFD686-C0E1-4C0D-B3DE-52A53563576B}\InprocServer32#ThreadingModel Unclassified.Unknown Origin HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681} HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681} HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681} HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32 HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\InprocServer32#ThreadingModel HKCR\CLSID\{6156A32A-C512-4E23-AA9A-2315F4265681}\Programmable C:\WINDOWS\SYSTEM32\MYSS_SB.DLL HKU\S-1-5-21-3863442237-3903237769-1811846796-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{3D87B50D-542A-45b6-96E9-F03CFAA8C962} HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962} HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962} HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Implemented Categories\{00021493-0000-0000-C000-000000000046} HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32 HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\InprocServer32#ThreadingModel HKCR\CLSID\{3D87B50D-542A-45B6-96E9-F03CFAA8C962}\Programmable Adware.Tracking Cookie C:\Documents and Settings\Admin\Cookies\admin@cogaccounts.codemasters[1].txt C:\Documents and Settings\Admin\Cookies\admin@tacoda[1].txt C:\Documents and Settings\Admin\Cookies\admin@revsci[2].txt C:\Documents and Settings\Admin\Cookies\admin@be.sitestat[2].txt C:\Documents and Settings\Admin\Cookies\admin@ads.adbrite[1].txt C:\Documents and Settings\Admin\Cookies\admin@media.xfire[2].txt C:\Documents and Settings\Admin\Cookies\admin@bt.ilsemedia[2].txt C:\Documents and Settings\Admin\Cookies\admin@atwola[2].txt C:\Documents and Settings\Admin\Cookies\admin@media.mtvnservices[2].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[5].txt C:\Documents and Settings\Admin\Cookies\admin@ad.zanox[2].txt C:\Documents and Settings\Admin\Cookies\admin@adbrite[2].txt C:\Documents and Settings\Admin\Cookies\admin@ads.us.e-planning[1].txt C:\Documents and Settings\Admin\Cookies\admin@xiti[1].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[1].txt C:\Documents and Settings\Admin\Cookies\admin@adserver.easyad[1].txt C:\Documents and Settings\Admin\Cookies\admin@stats.adbrite[2].txt C:\Documents and Settings\Admin\Cookies\admin@adserver.adremedy[1].txt C:\Documents and Settings\Admin\Cookies\admin@ad.wz[2].txt C:\Documents and Settings\Admin\Cookies\admin@partypoker[2].txt C:\Documents and Settings\Admin\Cookies\admin@mediaservices.myspace[2].txt C:\Documents and Settings\Admin\Cookies\admin@ad1.clickhype[1].txt C:\Documents and Settings\Admin\Cookies\admin@toplist[1].txt C:\Documents and Settings\Admin\Cookies\admin@stat.onestat[2].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[4].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[8].txt C:\Documents and Settings\Admin\Cookies\admin@adecn[1].txt C:\Documents and Settings\Admin\Cookies\admin@www.belstat[1].txt C:\Documents and Settings\Admin\Cookies\admin@www.searchenginetracking[1].txt C:\Documents and Settings\Admin\Cookies\admin@adultfriendfinder[2].txt C:\Documents and Settings\Admin\Cookies\admin@server.cpmstar[2].txt C:\Documents and Settings\Admin\Cookies\admin@pixel.ilsemedia[1].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[10].txt C:\Documents and Settings\Admin\Cookies\admin@pandasoftware.112.2o7[1].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[3].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[7].txt C:\Documents and Settings\Admin\Cookies\admin@euros4click[2].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[9].txt C:\Documents and Settings\Admin\Cookies\admin@stats.ilsemedia[1].txt C:\Documents and Settings\Admin\Cookies\admin@weborama[1].txt C:\Documents and Settings\Admin\Cookies\admin@gms.adbureau[2].txt C:\Documents and Settings\Admin\Cookies\admin@schoorsteen.geenstijl[1].txt C:\Documents and Settings\Admin\Cookies\admin@partners.webmasterplan[2].txt C:\Documents and Settings\Admin\Cookies\admin@adopt.euroclick[1].txt C:\Documents and Settings\Admin\Cookies\admin@www.googleadservices[2].txt C:\Documents and Settings\Admin\Cookies\admin@iframe.mediaplazza[1].txt C:\Documents and Settings\Admin\Cookies\admin@realmedia[1].txt C:\Documents and Settings\Admin\Cookies\admin@www.lesbiansexvid[2].txt C:\Documents and Settings\Admin\Cookies\admin@adserver.filefront[2].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[2].txt C:\Documents and Settings\Admin\Cookies\admin@www.sports-media[1].txt C:\Documents and Settings\Admin\Cookies\admin@sitestat.kpn-is[2].txt C:\Documents and Settings\Admin\Cookies\admin@ads2.gamersnet[2].txt C:\Documents and Settings\Admin\Cookies\admin@cgm.adbureau[1].txt C:\Documents and Settings\Admin\Cookies\admin@ads.mmodb[2].txt C:\Documents and Settings\Admin\Cookies\admin@nl.sitestat[6].txt C:\Documents and Settings\Admin\Cookies\admin@be.sitestat[1].txt C:\Documents and Settings\Admin\Cookies\admin@indextools[2].txt C:\Documents and Settings\Admin\Cookies\admin@mediamgr.ugo[1].txt C:\Documents and Settings\Admin\Cookies\admin@ads.gamershell[2].txt C:\Documents and Settings\Admin\Cookies\admin@searchmobile.solution.weborama[2].txt C:\Documents and Settings\Admin\Cookies\admin@advertising[2].txt C:\Documents and Settings\Admin\Cookies\admin@rotator.adjuggler[1].txt C:\Documents and Settings\Admin\Cookies\admin@tradedoubler[2].txt C:\Documents and Settings\J. M van Gastel\Cookies\j. m van gastel@deadlycountry[1].txt Trojan.ZenoSearch C:\WINDOWS\system32\msnav32.ax Trojan.Unclassified/BrowserDriver C:\WINDOWS\SYSTEM32\RWWNW64D.EXE C:\DOCUMENTS AND SETTINGS\ADMIN\MENU START\PROGRAMMA'S\OPSTARTEN\DW_START.LNK C:\WINDOWS\SYSTEM32\JP7\HBNX12.EXE C:\WINDOWS\Prefetch\HBNX12.EXE-09613765.pf C:\WINDOWS\Prefetch\RWWNW64D.EXE-37497E97.pf Trojan.Downloader-Gen/MROFIN C:\WINDOWS\MROFINU1000106.EXE C:\WINDOWS\MROFINU1188.EXE Adware.Unknown Origin C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

[anoniem]

Als ik mijn pc normaal opstart krijg ik geen foutmelding, een blauw scherm krijg ik te zien en de pc start terug op en gaat dan naar het menu waar je kan selecteren of je normaal op wilt starten, of veilige modus.

[anoniem]

Rechtsklik op "Deze computer". Kies Eigenschappen. Ga naar het tabblad Geavanceerd. Bij Opstart en herstelinstellingen klik je op "Instellingen". Haal het vinkje weg bij "De computer automatisch opnieuw starten". Plaats een vinkje bij "Een gebeurtenis in het systeemlogboek vastleggen". Bij foutopsporingsgevens vastleggen selecteer je "Geen". Klik op "Ok" en klik nog een keer op "Ok". Herstart de computer. Post de inhoud van het blauwe scherm dat je krijgt.

[anoniem]

Als ik dit wil doen krijg ik hetvolgende bericht; Het onderdeel Systeem van Configuratiescherm. Windows kan alleen beheerderssignalen verzenden als de Alerter-service actief is. En vervolgens hoe ik die service kan activeren. Moet ik dit doen of negeren?

[anoniem]

Probeer het te activeren.

[anoniem]

Ik heb het kunnen vinden, en er staat dat die automatisch opstart. Ik heb wel gezien dat de status is gestopt. Toen ik het aan wilde zetten kreeg ik een melding dat die niet in veilige modus beschikbaar is.

[anoniem]

Ik hebmijn pc opnieuw opgestart nadat ik het heb uitgevoerd in the opstart- en herstelinstellingen. Toch starte mijn pc automatisch opnieuw op, en kreeg ik het blauwe scherm maar tijdelijk te zien voordat de pc opnieuw opstarte.

[anoniem]

Ik vreesde het al een beetje. Kan je de computer starten in normale windowsmode met de laatst goed werkende configuratie?

[anoniem]

Heb ik geprobeerd. Na het windows laadscherm bleef mijn pc hangen op een zwart scherm. (Daar waar als ik normaal op probeer te starten het blauwe scherm krijg en meteen de pc opnieuw opgestart word)

[anoniem]

Wanneer zijn de problemen begonnen dat je niet meer kon booten in normale windowsmode? Voor het gebruik van ComboFix of er na?

[anoniem]

Daarvoor al, Ik kreeg gisteravond een melding dat er een virus gevonden was. Dus vanochtend besloot ik op mijn pc te scannen. Toen werkte Taakbeheer al niet en tijdens het scannen verdween mijn taakbalk (explorer.exe) en mijn gehele bureaublad. Nadat de scan klaar was moest de pc opnieuw opgestart worden, en sindsdien kan ik niet meer normaal opstarten en heb ik via veilige modus ComboFix uitgevoert. Het scanlogje van desbetreffende scanner heb ik een paar posts geleden in de thread geplaats.

[anoniem]

Dat explorer.exe verdwijnt en je bureaublad is normaal bij deze infectie. Probeer dit even. Download The Avanger en plaats het op je bureaublad: http://swandog46.geekstogo.com/avenger2/download.php Unzip het. Start het programma door op avenger.exe te klikken. In het venster "Input Script here", plak je het volgende (vetgedrukte): [b:34d5ea5d53] Files to delete: C:\WINDOWS\system32\ahmmqqae.dll C:\WINDOWS\system32\pwfnpetw.dll C:\WINDOWS\system32\qoMcdCTn.dll C:\WINDOWS\system32\nTCdcMoq.ini2 C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe C:\WINDOWS\system32\gside.exe C:\Temp\oRUsa080.exe Folders to delete: C:\VundoFix Backups C:\Temp\zvebs14 C:\Temp\1cb Registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E} HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW} Registry values to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec [/b:34d5ea5d53] Klik daarna op de knop "Execute". Avenger zal aangeven dat de computer gaat herstarten, sta dit toe. Na reboot opent een logfile (avenger .txt). Post de inhoud van de logfile.

[anoniem]

Ik krijg een error message; Error: Invalid script. A valid script must begin with a command directive. Aborting execution. dit is het script; Files to delete: C:\WINDOWS\system32\ahmmqqae.dll C:\WINDOWS\system32\pwfnpetw.dll C:\WINDOWS\system32\qoMcdCTn.dll C:\WINDOWS\system32\nTCdcMoq.ini2 C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe C:\WINDOWS\system32\gside.exe C:\Temp\oRUsa080.exe Folders to delete: C:\VundoFix Backups C:\Temp\zvebs14 C:\Temp\1cb Registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E} HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW} Registry values to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hier is het logje van de mislukte poging; ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 20:00:36 2008 20:00:36: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! //////////////////////////////////////////

[anoniem]

Dit moet de eerste lijn zijn in het script: [b:958bbbd412]Files to delete: [/b:958bbbd412]

[anoniem]

[quote:4301057bfa="Niek van gastel"] Registry values to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[/quote:4301057bfa] Let op: Moet zijn: [b:4301057bfa]Registry values to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec [/b:4301057bfa]

[anoniem]

Bedankt, niet alles gekopierd. Ondanks de gehele regel krijg ik dezelfde foutmelding. Dit is het script dat ik probeer uit te voeren; Files to delete: C:\WINDOWS\system32\ahmmqqae.dll C:\WINDOWS\system32\pwfnpetw.dll C:\WINDOWS\system32\qoMcdCTn.dll C:\WINDOWS\system32\nTCdcMoq.ini2 C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe C:\WINDOWS\system32\gside.exe C:\Temp\oRUsa080.exe Folders to delete: C:\VundoFix Backups C:\Temp\zvebs14 C:\Temp\1cb Registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3930ccb2-59db-44cb-ae85-6eb5f3b3bd52} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{759C858E-85A7-416A-B9F1-68A6F750DF4E} HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2 Up File Flag HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Build cdrom HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{9F-FD-D4-43-DW} Registry values to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 50b9fdec Hier is het logje van de mislukte poging; ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 20:00:36 2008 20:00:36: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! //////////////////////////////////////////

[anoniem]

Het script wat ik je geef is correct. Het moet werken!

[anoniem]

Pc opnieuw opgestart en opnieuw geprobeerd, deze keer met succes. Hier het logje; Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\ahmmqqae.dll" deleted successfully. File "C:\WINDOWS\system32\pwfnpetw.dll" deleted successfully. File "C:\WINDOWS\system32\qoMcdCTn.dll" deleted successfully. File "C:\WINDOWS\system32\nTCdcMoq.ini2" deleted successfully. File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully. File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully. File "C:\WINDOWS\system32\gside.exe" deleted successfully. File "C:\Temp\oRUsa080.exe" deleted successfully. Folder "C:\VundoFix Backups" deleted successfully. Folder "C:\Temp\zvebs14" deleted successfully. Folder "C:\Temp\1cb" deleted successfully.

[anoniem]

En de rest van de logfile?

[anoniem]

////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:45:13 2008 19:45:13: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:46:49 2008 19:46:49: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:47:33 2008 19:47:33: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:48:19 2008 19:48:19: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:48:30 2008 19:48:30: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:49:18 2008 19:49:18: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:49:26 2008 19:49:26: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:53:15 2008 19:53:15: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:54:31 2008 19:54:31: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 19:56:09 2008 19:56:09: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 20:00:36 2008 20:00:36: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu May 01 20:06:18 2008 20:06:18: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\ahmmqqae.dll" deleted successfully. File "C:\WINDOWS\system32\pwfnpetw.dll" deleted successfully. File "C:\WINDOWS\system32\qoMcdCTn.dll" deleted successfully. File "C:\WINDOWS\system32\nTCdcMoq.ini2" deleted successfully. File "C:\WINDOWS\system32\winpfz33.sys" deleted successfully. File "C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe" deleted successfully. File "C:\WINDOWS\system32\gside.exe" deleted successfully. File "C:\Temp\oRUsa080.exe" deleted successfully. Folder "C:\VundoFix Backups" deleted successfully. Folder "C:\Temp\zvebs14" deleted successfully. Folder "C:\Temp\1cb" deleted successfully. Dit is het gehele logfile zoals ik die te zien krijg.