[virus] veel traffic en veel connecties op netbios poorten*

Ik draai sindskort WindowsXP, en al tijdens het installeren had ik last van die LSASS.exe. Ik had het probleem al een keer bj iemand anders opgelost, dus dat ging goed. Alleen nu(ander probleem dus) zit mijn modem als een gek informatie te versturen, maar ik heb geen idee waar heen. Hier onder staat mijn netstat:

Vooral die bovenste entry lijkt me dubieus. Bovendien vind ik het raar dat ik tig verbindingen naar microsoft heb.

Wat ik gedaan heb: Hijack, Ad-Aware, SpyBot, AVG Free Edition, Symantec Online scannen. Dat was het wel zo'n beetje denk ik.

Omdat ik weinig ervaring heb met WindowsXP, weet ik dus ook niet welke programma's horen te draaien en wat de viri zijn.

C:\DOCUME~1\USER>netstat

Actieve verbindingen

Proto Lokaal adres Extern adres Status
TCP none-gi0b7p24rt:3008 128.61.96.69:8040 ESTABLISHED
TCP none-gi0b7p24rt:3213 66.102.11.104:http TIME_WAIT
TCP none-gi0b7p24rt:3214 81.23.243.7:http TIME_WAIT
TCP none-gi0b7p24rt:3221 81.23.243.7:http TIME_WAIT
TCP none-gi0b7p24rt:3791 gathering.tweakers.net:http TIME_WAIT
TCP none-gi0b7p24rt:3796 207.250.14.14:http ESTABLISHED
TCP none-gi0b7p24rt:3854 qn-82-217-183-147.quicknet.nl:microsoft-ds TIM
_WAIT
TCP none-gi0b7p24rt:3912 qn-82-217-183-147.quicknet.nl:microsoft-ds EST
BLISHED
TCP none-gi0b7p24rt:3920 host192-127.pool8249.interbusiness.it:microsoft
ds TIME_WAIT
TCP none-gi0b7p24rt:3939 clustere.icq.com:http CLOSE_WAIT
TCP none-gi0b7p24rt:3965 lns-p19-10-82-65-182-1.adsl.proxad.net:microsof
-ds TIME_WAIT
TCP none-gi0b7p24rt:3977 host192-127.pool8249.interbusiness.it:microsoft
ds ESTABLISHED
TCP none-gi0b7p24rt:4008 lns-p19-10-82-65-182-1.adsl.proxad.net:microsof
-ds ESTABLISHED
TCP none-gi0b7p24rt:4043 gathering.tweakers.net:http TIME_WAIT
TCP none-gi0b7p24rt:4050 status-m.icq.com:http ESTABLISHED
TCP none-gi0b7p24rt:4126 adserver.webads.nl:http LAST_ACK
TCP none-gi0b7p24rt:4142 82.192.40.234:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4143 82.226.2.223:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4144 82.241.243.52:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4145 82.4.84.149:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4146 82.146.231.132:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4147 82.35.55.83:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4148 82.20.196.51:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4149 82.229.69.132:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4150 82.211.95.141:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4151 82.135.94.124:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4152 82.25.254.150:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4153 82.137.153.241:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4154 82.241.177.63:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4155 82.193.234.30:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4156 82.255.198.186:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4157 82.169.125.56:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4158 82.27.65.5:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4159 82.164.122.55:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4160 82.128.22.203:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4161 82.146.175.190:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4162 82.75.151.58:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4163 82.58.85.145:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4164 82.53.15.244:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4165 qn-82-217-183-147.quicknet.nl:5000 FIN_WAIT_1
TCP none-gi0b7p24rt:4166 82.117.171.130:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4167 82.214.188.55:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4168 82.38.214.86:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4169 82.215.12.130:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4170 82.59.129.219:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4171 82.217.32.160:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4172 82.93.75.36:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4173 82.223.109.5:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4174 82.110.170.180:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4175 82.216.197.205:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4176 82.92.129.2:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4177 82.55.175.161:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4178 82.95.65.77:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4179 82.194.55.19:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4180 82.150.66.101:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4181 82.92.176.118:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4182 82.57.125.60:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4183 82.7.82.47:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4184 82.123.242.189:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4185 82.161.42.44:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4186 82.81.70.218:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4187 82.13.95.207:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4188 82.192.19.169:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4189 82.188.137.108:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4190 82.131.63.199:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4191 82.26.239.178:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4192 82.220.177.150:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4193 82.147.103.38:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4194 82.175.39.42:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4195 82.11.168.81:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4196 82.84.10.106:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4197 82.70.208.111:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4198 82.121.172.180:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4199 82.231.42.31:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4200 82.181.128.71:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4201 82.124.139.86:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4202 82.60.155.248:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4203 82.229.30.78:microsoft-ds SYN_SENT
TCP none-gi0b7p24rt:4627 gathering.tweakers.net:http TIME_WAIT
TCP none-gi0b7p24rt:4761 localhost:4762 ESTABLISHED
TCP none-gi0b7p24rt:4762 localhost:4761 ESTABLISHED

Windows XP is up to date. De standaardfirewall van WindowsXP heb ik aangezet. Het is een computer die meteen in het ethernetmodem is geplugd.

Ik heb ook zo'n ([rml][ Virusmail] Waarschuwing gehad van XS4ALL[/rml] ) emailtje gehad alleen dan van een andere ISP.

Logfile of HijackThis v1.97.7
Scan saved at 16:18:42, on 1-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
D:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
D:\Program Files\Winamp\winampa.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wumgrd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\GetRight\getright.exe
D:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\GetRight\getright.exe
d:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
d:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Documents and Settings\Ron\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Update] wumgrd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [HP Lamp] d:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] d:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Update] wumgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] wumgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: PageKeeper Taken.lnk = D:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec....ontent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec....tent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.m...uctl.CAB?38121.6091435185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedi...ve/cabs/flash/swflash.cab

cutter schreef op 01 juni 2004 @ 16:59:
O4 - HKCU\..\Run: [Microsoft Update] wumgrd.exe

==

http://www.sophos.com/virusinfo/analyses/w32sdbotky.html

Die is nu weg. Hopen dat hij zo meteen ophoudt ermee.