Pc vol met trojans + traag

• 

  Kokkie20

  30-04-2010 00:31

  Mijn pc was de afgelopen tijd erg traag, en bleek dus dat het door trojans e.d. kwam.

  Alle stappen zijn uitgevoerd, en hierbij de logs:

  Logfile of Trend Micro HijackThis v2.0.4

  Scan saved at 0:26:28, on 30-4-2010

  Platform: Windows XP SP3 (WinNT 5.01.2600)

  MSIE: Internet Explorer v8.00 (8.00.6001.18702)

  Boot mode: Normal

  Running processes:

  C:\WINDOWS\System32\smss.exe

  C:\WINDOWS\system32\winlogon.exe

  C:\WINDOWS\system32\services.exe

  C:\WINDOWS\system32\lsass.exe

  C:\WINDOWS\system32\Ati2evxx.exe

  C:\WINDOWS\system32\svchost.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\svchost.exe

  C:\WINDOWS\system32\spoolsv.exe

  C:\WINDOWS\system32\Ati2evxx.exe

  C:\WINDOWS\Explorer.EXE

  C:\WINDOWS\arservice.exe

  C:\WINDOWS\eHome\ehRecvr.exe

  C:\WINDOWS\eHome\ehSched.exe

  C:\Program Files\ESET\ESET Smart Security\ekrn.exe

  C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe

  C:\Program Files\Java\jre6\bin\jqs.exe

  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

  C:\WINDOWS\system32\svchost.exe

  C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

  C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

  C:\WINDOWS\system32\ZuneBusEnum.exe

  C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

  C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe

  C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

  C:\WINDOWS\system32\dllhost.exe

  C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

  C:\Program Files\ESET\ESET Smart Security\egui.exe

  C:\Program Files\Trojan Remover\Trjscan.exe

  C:\Program Files\Zune\ZuneLauncher.exe

  C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

  C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

  C:\WINDOWS\system32\ctfmon.exe

  C:\Program Files\Windows Live\Messenger\msnmsgr.exe

  C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

  C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2102399

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}

  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

  R3 - URLSearchHook: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll

  O1 - Hosts: 91.121.82.175 google.co.uk

  O1 - Hosts: 91.121.82.175 www.google.co.uk

  O1 - Hosts: 91.121.82.175 google.com

  O1 - Hosts: 91.121.82.175 www.google.com

  O1 - Hosts: 91.121.82.175 google.fr

  O1 - Hosts: 91.121.82.175 www.google.fr

  O1 - Hosts: 91.121.82.175 google.de

  O1 - Hosts: 91.121.82.175 www.google.de

  O1 - Hosts: 91.121.82.175 google.nl

  O1 - Hosts: 91.121.82.175 www.google.nl

  O1 - Hosts: 91.121.82.175 google.ca

  O1 - Hosts: 91.121.82.175 www.google.ca

  O1 - Hosts: 91.121.82.175 google.com.au

  O1 - Hosts: 91.121.82.175 www.google.com.au

  O1 - Hosts: 91.121.82.175 google.it

  O1 - Hosts: 91.121.82.175 www.google.it

  O1 - Hosts: 91.121.82.175 google.be

  O1 - Hosts: 91.121.82.175 www.google.be

  O1 - Hosts: 91.121.82.175 google.co.uk

  O1 - Hosts: 91.121.82.175 www.google.co.uk

  O1 - Hosts: 91.121.82.175 google.com

  O1 - Hosts: 91.121.82.175 www.google.com

  O1 - Hosts: 91.121.82.175 google.fr

  O1 - Hosts: 91.121.82.175 www.google.fr

  O1 - Hosts: 91.121.82.175 google.de

  O1 - Hosts: 91.121.82.175 www.google.de

  O1 - Hosts: 91.121.82.175 google.nl

  O1 - Hosts: 91.121.82.175 www.google.nl

  O1 - Hosts: 91.121.82.175 google.ca

  O1 - Hosts: 91.121.82.175 www.google.ca

  O1 - Hosts: 91.121.82.175 google.com.au

  O1 - Hosts: 91.121.82.175 www.google.com.au

  O1 - Hosts: 91.121.82.175 google.it

  O1 - Hosts: 91.121.82.175 www.google.it

  O1 - Hosts: 91.121.82.175 google.be

  O1 - Hosts: 91.121.82.175 www.google.be

  O1 - Hosts: 91.121.82.175 google.co.uk

  O1 - Hosts: 91.121.82.175 www.google.co.uk

  O1 - Hosts: 91.121.82.175 google.co.uk

  O1 - Hosts: 91.121.82.175 google.com

  O1 - Hosts: 91.121.82.175 www.google.co.uk

  O1 - Hosts: 91.121.82.175 www.google.com

  O1 - Hosts: 91.121.82.175 google.com

  O1 - Hosts: 91.121.82.175 google.fr

  O1 - Hosts: 91.121.82.175 www.google.fr

  O1 - Hosts: 91.121.82.175 www.google.com

  O1 - Hosts: 91.121.82.175 google.de

  O1 - Hosts: 91.121.82.175 google.fr

  O1 - Hosts: 91.121.82.175 www.google.de

  O1 - Hosts: 91.121.82.175 www.google.fr

  O1 - Hosts: 91.121.82.175 google.nl

  O1 - Hosts: 91.121.82.175 google.de

  O1 - Hosts: 91.121.82.175 www.google.nl

  O1 - Hosts: 91.121.82.175 google.ca

  O1 - Hosts: 91.121.82.175 www.google.de

  O1 - Hosts: 91.121.82.175 www.google.ca

  O1 - Hosts: 91.121.82.175 google.nl

  O1 - Hosts: 91.121.82.175 google.com.au

  O1 - Hosts: 91.121.82.175 www.google.nl

  O1 - Hosts: 91.121.82.175 google.ca

  O1 - Hosts: 91.121.82.175 www.google.com.au

  O1 - Hosts: 91.121.82.175 www.google.ca

  O1 - Hosts: 91.121.82.175 google.it

  O1 - Hosts: 91.121.82.175 google.com.au

  O1 - Hosts: 91.121.82.175 www.google.it

  O1 - Hosts: 91.121.82.175 www.google.com.au

  O1 - Hosts: 91.121.82.175 google.be

  O1 - Hosts: 91.121.82.175 www.google.be

  O1 - Hosts: 91.121.82.175 google.it

  O1 - Hosts: 91.121.82.175 www.google.it

  O1 - Hosts: 91.121.82.175 google.be

  O1 - Hosts: 91.121.82.175 www.google.be

  O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

  O2 - BHO: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll

  O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

  O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

  O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

  O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

  O3 - Toolbar: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll

  O4 - HKLM\..\Run: “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun

  O4 - HKLM\..\Run: C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

  O4 - HKLM\..\Run: “C:\Program Files\ESET\ESET Smart Security\egui.exe” /hide /waitservice

  O4 - HKLM\..\Run: C:\Program Files\Trojan Remover\Trjscan.exe /boot

  O4 - HKLM\..\Run: KHALMNPR.EXE

  O4 - HKLM\..\Run: “C:\Program Files\Zune\ZuneLauncher.exe”

  O4 - HKLM\..\Run: “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

  O4 - HKLM\..\Run: “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”

  O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”

  O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe”

  O4 - HKLM\..\Run: C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

  O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe” -launchedbylogin

  O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe

  O4 - HKCU\..\Run: “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background

  O4 - HKCU\..\Run: “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount

  O4 - HKCU\..\Run: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

  O4 - HKUS\S-1-5-19\..\Run: C:\WINDOWS\system32\CTFMON.EXE (User ‘Lokale service’)

  O4 - HKUS\S-1-5-19\..\RunOnce: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Lokale service’)

  O4 - HKUS\S-1-5-20\..\Run: C:\WINDOWS\system32\CTFMON.EXE (User ‘Netwerkservice’)

  O4 - HKUS\S-1-5-20\..\RunOnce: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Netwerkservice’)

  O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)

  O4 - HKUS\S-1-5-18\..\RunOnce: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘SYSTEM’)

  O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)

  O4 - HKUS\.DEFAULT\..\RunOnce: rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Default user’)

  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

  O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

  O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

  O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

  O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

  O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

  O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

  O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

  O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

  O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

  O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe

  O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe

  O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

  O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

  O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

  O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

  O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

  O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

  O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

  O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe

  O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

  –

  End of file - 12412 bytes

  Malware voor reboot

  Malwarebytes' Anti-Malware 1.46

  www.malwarebytes.org

  Databaseversie: 4052

  Windows 5.1.2600 Service Pack 3

  Internet Explorer 8.0.6001.18702

  29-4-2010 23:25:08

  mbam-log-2010-04-29 (23-25-08).txt

  Scantype: Snelle scan

  Objecten gescand: 118344

  Verstreken tijd: 3 minuut/minuten, 1 seconde(n)

  Geheugenprocessen geïnfecteerd: 2

  Geheugenmodulen geïnfecteerd: 1

  Registersleutels geïnfecteerd: 4

  Registerwaarden geïnfecteerd: 0

  Registerdata geïnfecteerd: 0

  Mappen geïnfecteerd: 0

  Bestanden geïnfecteerd: 18

  Geheugenprocessen geïnfecteerd:

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\slyfinal.exe (Trojan.Agent) -> Unloaded process successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP001.TMP\slyfinal.exe (Trojan.Agent) -> Unloaded process successfully.

  Geheugenmodulen geïnfecteerd:

  C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

  Registersleutels geïnfecteerd:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.

  HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

  HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  Registerwaarden geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Registerdata geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Mappen geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Bestanden geïnfecteerd:

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\slyfinal.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP001.TMP\slyfinal.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\Tl3.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\EC3D.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\EC44.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP003.TMP\slyfinal.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\5.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP001.TMP\5.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\IXP002.TMP\slyfinal.exe (Trojan.Agent) -> Quarantined and deleted successfully.

  C:\WINDOWS\Temp\826.tmp (Rootkit.Dropper) -> Delete on reboot.

  C:\WINDOWS\Temp\818.tmp (Rootkit.Dropper) -> Delete on reboot.

  C:\WINDOWS\Temp\EC4A.tmp (Rootkit.Dropper) -> Delete on reboot.

  C:\WINDOWS\Temp\EC4F.tmp (Rootkit.Dropper) -> Delete on reboot.

  C:\WINDOWS\Tdyxaa.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.

  C:\Documents and Settings\Administrator\Local Settings\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

  C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

  C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

  Malware na reboot

  Malwarebytes' Anti-Malware 1.46

  www.malwarebytes.org

  Databaseversie: 4052

  Windows 5.1.2600 Service Pack 3

  Internet Explorer 8.0.6001.18702

  30-4-2010 0:31:00

  mbam-log-2010-04-30 (00-31-00).txt

  Scantype: Snelle scan

  Objecten gescand: 118180

  Verstreken tijd: 2 minuut/minuten, 44 seconde(n)

  Geheugenprocessen geïnfecteerd: 0

  Geheugenmodulen geïnfecteerd: 0

  Registersleutels geïnfecteerd: 0

  Registerwaarden geïnfecteerd: 0

  Registerdata geïnfecteerd: 0

  Mappen geïnfecteerd: 0

  Bestanden geïnfecteerd: 0

  Geheugenprocessen geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Geheugenmodulen geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Registersleutels geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Registerwaarden geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Registerdata geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Mappen geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Bestanden geïnfecteerd:

  (Geen kwaadaardige objecten gedetecteerd)

  Rapporteren
• 

  Kokkie20

  02-05-2010 16:33

  Na toch maar even gewacht te hebben op een eventuele antwoord hier heb ik toch maar mijn hele pc opnieuw geïnstalleerd.

  Rapporteren