nog steeds een probleem, windows security center

[ Voor 16% gewijzigd door Naboo op 02-10-2005 12:52 ]

Nvidiot schreef op zondag 02 oktober 2005 @ 12:54:
Begin eens met het draaien van:
Adaware: http://www.lavasoftusa.com/ -
Spybot: http://www.safer-networking.org/ -
spywareblaster: http://www.wilderssecurity.net/spywareblaster.html -
Microsoft AntiSpyware http://www.microsoft.com/...are/software/default.mspx

En een goede virusscanner

Freaky Gabbur schreef op zondag 02 oktober 2005 @ 12:54:
Nou volgens mij is dat geen melding van je windows security center, maar een nepmeldingen van op je pc geinstalleerde spyware.

Verwijderd schreef op zondag 02 oktober 2005 @ 13:10:
[...]

Er zijn tíg varianten met dezelfde kenmerken.
De schaal van dit gebeuren is immens.

TS: Scan die files eens en kijk welke AV ze allemaal detecteert.
Installeer die AV dan op je sys.

Ik hou me aanbevolen voor samples: virus@kaspersky.nl

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 02, 2005 13:51:15
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/10/2005
Kaspersky Anti-Virus database records: 142842
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 37386
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 2051 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator.GOD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-3af2fcd6.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t
C:\Documents and Settings\Administrator.GOD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-3af2fcd6.zip Infected: Trojan-Downloader.Java.OpenStream.t
C:\Documents and Settings\Administrator.GOD\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\count[1].htm Infected: Trojan-Downloader.JS.Inor.a
C:\Documents and Settings\All Users.WINNT\Application Data\SecTaskMan\nwqtkx.exe.q_8898E01_q Infected: Trojan-Downloader.Win32.Vivia.s
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip/WM VCR/file5.zip/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip/WM VCR/file5.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip/WM VCR/file5.zip/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip/WM VCR/file5.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst Infected: Trojan-Downloader.Win32.IstBar.er

Scan process completed.

Verwijderd schreef op zondag 02 oktober 2005 @ 13:07:
Heb je Hijack this ook al geprobeerd?

Logfile of HijackThis v1.99.1
Scan saved at 14:00:23, on 02/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\PROGRA~1\COUNTD~2\cntdown.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator.GOD\My Documents\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {CBF26770-981A-7ABD-54D8-F0C365EED3EE} - StartCpl.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Hacker Eliminator] C:\Program Files\Hacker Eliminator\HackerEliminator.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [Countdown!] "C:\PROGRA~1\COUNTD~2\cntdown.exe" /autorun
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/...ws/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec....ontent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.c...eb_site.cab?1122933810046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec....tent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/do...ls/suite/autocomplete.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game18.zylomgames.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F8FA655-D385-4717-8290-B7318F7BC249}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2BC8DFF-B8A0-42E3-B167-155B602FE86C}: NameServer = 195.95.218.1,85.255.112.7
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[ Voor 73% gewijzigd door Naboo op 02-10-2005 13:58 ]

Verwijderd schreef op zondag 02 oktober 2005 @ 14:00:
[...]

Hoe?
Niets in die write-up van Sophos geeft duidelijke aanwijzingen hoe je 100% zeker kan weten dat het om die sample gaat.
Zie ook de update history.

[...]

Was die scan met of zonder extended bases?

code:

1	C:\Documents and Settings\All Users.WINNT\Application Data\SecTaskMan\nwqtkx.exe.q_8898E01_q Infected: Trojan-Downloader.Win32.Vivia.s

Deze zou best related kunnen zijn.

Zoals ik al zei kun je samples submitten, kan dan ook kijken naar removal.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 02, 2005 15:05:21
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/10/2005
Kaspersky Anti-Virus database records: 152037
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 37330
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 2057 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator.GOD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-3af2fcd6.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t
C:\Documents and Settings\Administrator.GOD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-3af2fcd6.zip Infected: Trojan-Downloader.Java.OpenStream.t
C:\Documents and Settings\Administrator.GOD\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\count[1].htm Infected: Trojan-Downloader.JS.Inor.a
C:\Documents and Settings\All Users.WINNT\Application Data\SecTaskMan\nwqtkx.exe.q_8898E01_q Infected: Trojan-Downloader.Win32.Vivia.s
C:\Documents and Settings\All Users.WINNT\Application Data\Zylom\ZylomGamesPlayer\zylomgamesplayer.dll Infected: not-a-virus:AdWare.Win32.HotBar.bc
C:\Old Files\MP3\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Old Files\MP3\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip/WM VCR/file5.zip/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip/WM VCR/file5.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:08 to info@xxxxxxx.nl:Radio Recorder/WM VCR.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip/WM VCR/file5.zip/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip/WM VCR/file5.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst/Persoonlijke mappen/Verzonden items/02 Sep 2004 17:38 to webmaster@xxxxxxx.nl:RE: test/WM VCR.zip Infected: Trojan-Downloader.Win32.IstBar.er
C:\Old Files\outlook.pst Infected: Trojan-Downloader.Win32.IstBar.er
C:\WINNT\Downloaded Program Files\zylomgamesplayer.dll Infected: not-a-virus:AdWare.Win32.HotBar.bc

Scan process completed.

[ Voor 69% gewijzigd door Naboo op 02-10-2005 15:04 ]

jotheman schreef op zaterdag 26 november 2005 @ 18:43:
Kom net van iemand af die deze ook had. Met hitman pro kreeg ik 'm er volledig vanaf. Succes d'rmee nog

Maxxi schreef op zaterdag 26 november 2005 @ 18:46:
Check dit stukje software:
http://delamitri.sohosted...OS%20Tools/UnLockFile.exe

hiermee kan je files unlocken als ze ingebruik zijn. Werkt erg goed.
Unlock file eerst, en delete um gewoon met Windows.

[ Voor 5% gewijzigd door Naboo op 26-11-2005 19:04 ]

r0b schreef op zaterdag 26 november 2005 @ 19:05:
[...]

Er is ook nog een 'Hide system files' optie, staat deze ook uit?

Sassie schreef op zaterdag 26 november 2005 @ 21:05:
[...]

Heb je hitmanpro al eens in de veilige modus geprobeerd?
En gooi dan ook eens je tempfiles ed leeg, met CCleaner.