antivirus.startpagina.nl

logfile (Trojan TROJ_WANTVI.AH)

  • Anonymous avatar

    Jeroen

    Beste,

    Hier mijn logfile na het stappenplan. Bij de windows update, kreeg ik wel blauwe schermen na het herstarten, dus heb me via systeemherstel eruit moeten helpen.

    Ik kirjg nog steeds bij het opstart 1 melding van trojan, deze kan ik wel steeds verwijderen.

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 11:39:43, on 17/08/2009

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\SYSTEM32\SERVICES.EXE

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\SYSTEM32\SVCHOST.EXE

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    C:\WINDOWS\SYSTEM32\SPOOLSV.EXE

    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\PROGRA~1\TRENDM~1\INTERN~2\PCCTLCOM.EXE

    C:\WINDOWS\System32\PAStiSvc.exe

    C:\WINDOWS\System32\svchost.exe

    C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

    C:\PROGRA~1\TRENDM~1\INTERN~2\TMPROXY.EXE

    C:\PROGRA~1\TRENDM~1\INTERN~2\TMPFW.EXE

    C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe

    C:\WINDOWS\system32\hkcmd.exe

    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

    C:\PROGRAM FILES\DELL\MEDIA EXPERIENCE\PCMSERVICE.EXE

    C:\WINDOWS\system32\dla\tfswctrl.exe

    C:\Program Files\Microsoft IntelliType Pro\type32.exe

    C:\Program Files\Microsoft IntelliPoint\point32.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

    C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\1.2.908.4150\GOOGLETOOLBARNOTIFIER.EXE

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Common Files\Teleca Shared\Generic.exe

    C:\WINDOWS\SYSTEM32\SVCHOST.EXE

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/be/nlb/gen/default.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

    R3 - URLSearchHook: HyperSearchHook - {911AE8E5-29E6-4F38-9E67-94F8647BB925} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Dell\Media Experience\PCMService.exe”

    O4 - HKLM\..\Run: C:\WINDOWS\system32\dla\tfswctrl.exe

    O4 - HKLM\..\Run: “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r

    O4 - HKLM\..\Run: C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H

    O4 - HKLM\..\Run: “C:\Program Files\Microsoft IntelliType Pro\type32.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Microsoft IntelliPoint\point32.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler

    O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: “C:\Program Files\QuickTime\qttask.exe” -atboottime

    O4 - HKLM\..\Run: “C:\Program Files\iTunes\iTunesHelper.exe”

    O4 - HKLM\..\Run: “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions

    O4 - HKLM\..\Run: C:\WINDOWS\system32\regedit.exe

    O4 - HKCU\..\Run: C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.4150\GoogleToolbarNotifier.exe

    O4 - HKCU\..\Run: “C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\AdobeUpdateManager.exe” AcRdB7_0_8

    O4 - HKCU\..\Run: “C:\Program Files\Ares\Ares.exe” -h

    O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S

    O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)

    O4 - HKUS\S-1-5-18\..\Run: (User ‘SYSTEM’)

    O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)

    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: hp psc 1000 series.lnk = ?

    O4 - Global Startup: hpoddt01.exe.lnk = ?

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab

    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120211564562

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137018429671

    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

    O16 - DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file:///D:/0000C5DD/ma02p03a/common/en/online/code/odweb.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.com/de/download/NpFv415.dll

    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{32D33E30-776F-4100-A547-B6D0DFCFE16A}: NameServer = 195.238.2.21

    O17 - HKLM\System\CCS\Services\Tcpip\..\{37ADF54A-09A3-469C-8E80-BAFDF2822B59}: NameServer = 195.238.2.21

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3C9EF2A5-C08B-45FD-936F-4E8E8BC4A374}: NameServer = 195.238.2.21

    O17 - HKLM\System\CCS\Services\Tcpip\..\{9B26A20F-53EC-42ED-A54A-7A7A013BF8F8}: NameServer = 195.238.2.21

    O20 - AppInit_DLLs: cru629.dat

    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

    End of file - 10240 bytes

    Kan iemand me helpen?

    Alvast bedankt!!

    Jeroen

  • Anonymous avatar

    Jeroen

    Hallo,

    Normaal heb ik alles uitgevoerd wat daar staat?

    Mvg,

    Jeroen

  • Anonymous avatar

    Luca

    Als ik zo even heel snel over je log heen kijk mis ik de laatste updates voor Windows XP (SP3) en volgens het stappenplan is het de bedoeling dat je ook het log van Mbam even plaatst nadat je daar een scan mee hebt gedaan.

  • Anonymous avatar

    Jeroen

    Beste,

    Bedankt voor de info, maar als ik de update van Windows riskeer te installeren, krijg ik blauw scherm en moet ik terug naar laatste configuratie die werkte.

    Nogmals alvast bedankt voor de hulp!

    Mvg,

    Jeroen

  • Anonymous avatar

    Luca

    Laat de updates in dat geval maar even zitten en plaats in ieder geval even het log van Mbam aub.

  • Anonymous avatar

    Huib

    Hoi Jeroen,

    Wel graag alle stappen verder uitvoeren zoals Teaser je al schreef, want ik mis het 1 en ander:(

    Zit jou provider en jij in belgie:S zie:

    Belgacom SA de droit public

    ANS/ROC/RNO/IEC - Batiment TGX

    Groetjes en succes met de stappen,

    Huib:)

  • Anonymous avatar

    Jeroen

    Malwarebytes' Anti-Malware 1.40

    Database versie: 2636

    Windows 5.1.2600 Service Pack 2

    17/08/2009 22:34:31

    mbam-log-2009-08-17 (22-34-31).txt

    Scan type: Snelle Scan

    Objecten gescand: 100723

    Verstreken tijd: 8 minute(s), 9 second(s)

    Geheugenprocessen geïnfecteerd: 0

    Geheugenmodulen geïnfecteerd: 0

    Registersleutels geïnfecteerd: 0

    Registerwaarden geïnfecteerd: 1

    Registerdata bestanden geïnfecteerd: 0

    Mappen geïnfecteerd: 0

    Bestanden geïnfecteerd: 1

    Geheugenprocessen geïnfecteerd:

    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:

    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:

    (Geen kwaadaardige items gevonden)

    Registerwaarden geïnfecteerd:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registerdata bestanden geïnfecteerd:

    (Geen kwaadaardige items gevonden)

    Mappen geïnfecteerd:

    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:

    C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

  • Anonymous avatar

    Jeroen

    ik ben inderdaad van België (is dit probleem? indien ja: sorry)

  • Anonymous avatar

    Huib

    Haha nee hoor Jeroen;)

    Ik zag in je logje en ip staan en op die plaats kunnen n.l. ook foute ip adressen staan;)

    Groetjes Huib:)