Trojan: Generic.TJN

• 

  Gerard

  06-11-2005 21:39

  Goeden avond loglezers,

  Tijdens de wekelijkse scan (na updaten) ontdenkte AVG een trojan horse Generic.TJN. Na een nieuwe scan is er niets meer gevonden. Vraag, is mijn log schoon?

  Logfile of HijackThis v1.99.1

  Scan saved at 21:34:29, on 6-11-2005

  Platform: Windows XP SP2 (WinNT 5.01.2600)

  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

  Running processes:

  C:\WINDOWS\System32\smss.exe

  C:\WINDOWS\system32\winlogon.exe

  C:\WINDOWS\system32\services.exe

  C:\WINDOWS\system32\lsass.exe

  C:\WINDOWS\system32\svchost.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\spoolsv.exe

  C:\WINDOWS\Explorer.EXE

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  C:\WINDOWS\system32\NVATray.exe

  C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

  C:\WINDOWS\system32\CTsvcCDA.EXE

  C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe

  C:\WINDOWS\system32\nvsvc32.exe

  C:\WINDOWS\system32\gsicon.exe

  C:\WINDOWS\System32\svchost.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

  C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

  C:\WINDOWS\system32\RUNDLL32.EXE

  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  C:\Program Files\Common Files\Real\Update_OB\realsched.exe

  C:\Program Files\SPAMfighter\SFAgent.exe

  C:\WINDOWS\system32\ctfmon.exe

  C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

  C:\PROGRA~1\INCRED~1\bin\IMApp.exe

  C:\Program Files\MSN\MSNCoreFiles\msn6.exe

  C:\Program Files\MSN Messenger\msnmsgr.exe

  C:\WINDOWS\system32\drwtsn32.exe

  C:\WINDOWS\system32\drwtsn32.exe

  C:\Program Files\Internet Explorer\iexplore.exe

  C:\Documents and Settings\chan\Local Settings\Temporary Internet Files\Content.IE5\4XUNOXMR\hijackthis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hetnet.nl

  F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

  O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\SpywareGuard\dlprotect.dll

  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

  O4 - HKLM\..\Run: NVATray.exe

  O4 - HKLM\..\Run: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

  O4 - HKLM\..\Run: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

  O4 - HKLM\..\Run: nwiz.exe /install

  O4 - HKLM\..\Run: gsicon.exe

  O4 - HKLM\..\Run: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

  O4 - HKLM\..\Run: “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”

  O4 - HKLM\..\Run: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

  O4 - HKLM\..\Run: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

  O4 - HKLM\..\Run: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  O4 - HKLM\..\Run: “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

  O4 - HKLM\..\Run: “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60

  O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe

  O4 - HKCU\..\Run: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

  O4 - HKCU\..\Run: C:\Program Files\IncrediMail\bin\IncMail.exe /c

  O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

  O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

  O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm824YYNL

  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

  O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

  O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

  O14 - IERESET.INF: START_PAGE_URL=http://www.hetnet.nl

  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

  O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4393/mcfscan.cab

  O17 - HKLM\System\CCS\Services\Tcpip\..\{BB76C158-E70A-447F-B3A6-BE1B9974AF9D}: NameServer = 195.121.1.34 195.121.1.66

  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

  O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

  O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe

  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

  O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

  Met groet, Gerard

  Rapporteren
• 

  Avondsmurf

  06-11-2005 22:02

  Gerard,

  Je mag Hijackthis nog even starten en de volgende regel aanvinken en vervolgens op fix klikken:

  O8 - Extra context menu item: &Search - bar.mywebsearch.com/menusearch.html?p=ZNxdm824YYNL

  Daarna mag je nog even na een restart van je computer een nieuw logje plaatsen ter controle…..

  Smurfie ±0

  Rapporteren
• 

  Gerard

  06-11-2005 22:09

  heb je advies opgevolgd.

  Hierbij de nieuwe log.

  Logfile of HijackThis v1.99.1

  Scan saved at 22:07:36, on 6-11-2005

  Platform: Windows XP SP2 (WinNT 5.01.2600)

  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

  Running processes:

  C:\WINDOWS\System32\smss.exe

  C:\WINDOWS\system32\winlogon.exe

  C:\WINDOWS\system32\services.exe

  C:\WINDOWS\system32\lsass.exe

  C:\WINDOWS\system32\svchost.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\spoolsv.exe

  C:\WINDOWS\Explorer.EXE

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  C:\WINDOWS\system32\NVATray.exe

  C:\WINDOWS\system32\CTsvcCDA.EXE

  C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

  C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe

  C:\WINDOWS\system32\nvsvc32.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\gsicon.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

  C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

  C:\WINDOWS\system32\RUNDLL32.EXE

  C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  C:\Program Files\Common Files\Real\Update_OB\realsched.exe

  C:\Program Files\SPAMfighter\SFAgent.exe

  C:\WINDOWS\system32\ctfmon.exe

  C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

  C:\PROGRA~1\INCRED~1\bin\IMApp.exe

  F:\hijackthis.exe

  C:\WINDOWS\system32\wuauclt.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hetnet.nl

  F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

  O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\SpywareGuard\dlprotect.dll

  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

  O4 - HKLM\..\Run: NVATray.exe

  O4 - HKLM\..\Run: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

  O4 - HKLM\..\Run: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

  O4 - HKLM\..\Run: nwiz.exe /install

  O4 - HKLM\..\Run: gsicon.exe

  O4 - HKLM\..\Run: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

  O4 - HKLM\..\Run: “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”

  O4 - HKLM\..\Run: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

  O4 - HKLM\..\Run: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

  O4 - HKLM\..\Run: C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

  O4 - HKLM\..\Run: “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

  O4 - HKLM\..\Run: “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60

  O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe

  O4 - HKCU\..\Run: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

  O4 - HKCU\..\Run: C:\Program Files\IncrediMail\bin\IncMail.exe /c

  O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

  O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

  O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

  O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

  O14 - IERESET.INF: START_PAGE_URL=http://www.hetnet.nl

  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

  O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

  O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4393/mcfscan.cab

  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

  O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

  O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP Pro 3\Tools\NMSAccess.exe

  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

  O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

  gerard

  Rapporteren
• 

  Avondsmurf

  06-11-2005 22:11

  Gerard,

  Ik zie niets meer in je logje wat er niet hoort,,,…………. mogelijk ziet Pablo nog iets dus kijk hier straks nog even terug….. 2 zien meer dan 1……….. Smurfie

  Rapporteren
• 

  Gerard

  06-11-2005 22:12

  In ieder geval erg bedankt.

  Gerard

  Rapporteren
• 

  Avondsmurf

  06-11-2005 22:14

  Graag gedaan…………

  Rapporteren
• 

  pablo

  06-11-2005 22:55

  ik heb mijn lenzen opgepoetst,maar ik zie ook niets

  paul

  Rapporteren
• 

  Gerard

  06-11-2005 23:16

  gelukkig,

  mjn dank

  Gerard

  Rapporteren