Nog even een laatste update:
HT log:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| Logfile of HijackThis v1.97.7
Scan saved at 1:16:28, on 10-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\tkpwuwf.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\aXarion\Desktop\HijackThis.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [vfkmiho] C:\WINDOWS\System32\tkpwuwf.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Wintask] c:\WINDOWS\system32\msbltn.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38132.6199652778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
Spybot vond en verwijderde het volgende:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-842925246-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi |
Ad Aware vond en verwijderde dit:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
| Lavasoft Ad-aware Personal Build 6.181
Logfile created on :donderdag 10 juni 2004 1:26:08
Created with Ad-aware Personal, free for private use.
Using reference-file :01R315 06.06.2004
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
10-6-2004 1:26:08 - Scan started. (Smart mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 9-6-2004 23:12:14
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 9-6-2004 23:12:19
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 9-6-2004 23:12:19
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 23-8-2001 12:00:00
Last accessed : 9-6-2004 23:16:01
Last modified : 23-8-2001 12:00:00
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 9-6-2004 23:12:19
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 23-8-2001 12:00:00
Last accessed : 9-6-2004 23:16:01
Last modified : 29-8-2002 10:41:26
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 9-6-2004 23:12:20
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23-8-2001 12:00:00
Last accessed : 9-6-2004 23:19:14
Last modified : 23-8-2001 12:00:00
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 9-6-2004 23:12:20
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23-8-2001 12:00:00
Last accessed : 9-6-2004 23:19:14
Last modified : 23-8-2001 12:00:00
#:7 [smc.exe]
FilePath : C:\Program Files\Sygate\SPF\
ThreadCreationTime : 9-6-2004 23:12:20
BasePriority : Normal
FileSize : 2289 KB
FileVersion : 5.5.00.2525
ProductVersion : 5.5.00.2525
Copyright : Copyright
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
OriginalFilename : Smc.EXE
ProductName : Sygate
Created on : 24-12-2003 12:44:56
Last accessed : 9-6-2004 23:14:28
Last modified : 24-12-2003 12:44:56
#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 9-6-2004 23:12:25
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 23-8-2001 12:00:00
Last accessed : 9-6-2004 23:16:01
Last modified : 23-8-2001 12:00:00
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 9-6-2004 23:12:41
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 26-5-2004 13:23:57
Last accessed : 9-6-2004 23:16:01
Last modified : 29-8-2002 10:41:24
#:10 [daemon.exe]
FilePath : C:\Program Files\D-Tools\
ThreadCreationTime : 9-6-2004 23:13:31
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3.46.0.0
ProductVersion : 3.46.0.0
Copyright : Copyright (C) 2000-2004
CompanyName : DAEMON'S HOME
FileDescription : Virtual DAEMON Manager
InternalName : DAEMON.EXE
OriginalFilename : daemon.exe
ProductName : DAEMON Tools
Created on : 12-3-2004 20:43:18
Last accessed : 9-6-2004 23:15:01
Last modified : 12-3-2004 20:43:18
#:11 [dumeter.exe]
FilePath : C:\Program Files\DU Meter\
ThreadCreationTime : 9-6-2004 23:13:31
BasePriority : Normal
FileSize : 1267 KB
FileVersion : 3.05 Build 148
ProductVersion : 3.05 Build 148
Copyright : Copyright
CompanyName : Hagel Technologies
FileDescription : DU Meter
InternalName : DU Meter
OriginalFilename : DUMETER.EXE
ProductName : DU Meter
Created on : 22-6-2003 14:38:28
Last accessed : 9-6-2004 23:15:02
Last modified : 22-6-2003 14:38:28
#:12 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 9-6-2004 23:13:31
BasePriority : Normal
FileSize : 32 KB
Created on : 22-2-2068 21:44:46
Last accessed : 9-6-2004 23:15:03
Last modified : 22-2-2004 21:44:44
#:13 [tkpwuwf.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 9-6-2004 23:13:31
BasePriority : Normal
FileSize : 37 KB
Created on : 27-5-2004 19:50:45
Last accessed : 9-6-2004 23:12:14
Last modified : 21-5-2004 16:02:58
#:14 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 9-6-2004 23:13:37
BasePriority : Normal
FileSize : 23 KB
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
Copyright : Copyright (C) Creative Technology Ltd. 1998-2001
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 17-5-2004 18:34:48
Last accessed : 9-6-2004 23:15:28
Last modified : 17-8-2001 22:36:42
#:15 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 9-6-2004 23:15:48
BasePriority : Normal
FileSize : 3855 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpyBotSD
OriginalFilename : SpyBotSD.exe
ProductName : SpyBot-S&D
Created on : 11-5-2004 23:03:00
Last accessed : 9-6-2004 23:15:09
Last modified : 11-5-2004 23:03:00
#:16 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ThreadCreationTime : 9-6-2004 23:16:40
BasePriority : Normal
FileSize : 6592 KB
FileVersion : 0.8
ProductVersion : Personal
Copyright : Mozilla
CompanyName : Mozilla
FileDescription : Firefox
InternalName : Firefox
OriginalFilename : firefox.exe
ProductName : Firefox
Created on : 26-5-2004 14:33:44
Last accessed : 9-6-2004 23:17:49
Last modified : 7-2-2004 10:12:00
#:17 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 9-6-2004 23:26:00
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 26-5-2004 18:21:20
Last accessed : 9-6-2004 23:15:54
Last modified : 12-7-2003 19:00:20
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Policies\System
Value : DisableTaskMgr
Data :
Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Policies\System
Value : DisableRegistryTools
Data :
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Tracking Cookie Object recognized!
Type : File
Data : axarion@276[1].txt
Object : C:\Documents and Settings\aXarion\Cookies\
Created on : 9-6-2004 21:09:58
Last accessed : 9-6-2004 23:19:58
Last modified : 9-6-2004 21:09:58
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3
1:28:01 Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:52:321
Objects scanned :39143
Objects identified :3
Objects ignored :0
New objects :3 |
Kaspersky Personal vond dit:
code:
1
| log komt zo, is nog bezig |
Op dit moment knippert de cursor te snel en kan ik niet regedit doen, geen taskmanager starten en ik krijg een melding dat de c schijf bijna vol is (irl: not)
Misschien een idee: Via Spybot kan ik ook msconfig achtige dingen doen, ik kan de autostart van tkpwuwf en msbltn.exe (die 2x) uitzetten. doen?
Ik viel in slaap tijdens de full scan
In ieder geval, kaspersky heeft een zooi dingen verwijderd, 2 versies van msbltn.exe in quarantine gezet, wat ouwe viri die ik nooit gemerkt heb opgeruimd (in mn email dbx, en in mn downloads map etc) en toen was het klaar. Kaspersky personal kan ik geen log van posten want die kan ik niet copy/pasten.
Ik heb vervolgens ad-aware nog eens gedraaid, vond niks. Toen nog een keer spybot, die vond een exploit, verwijderd, vervolgens de auto start van msbltn.exe rn tkpwuwf.exe uitgezet via spybot en een reboot later ben ik clean.
Ik ga nog ff full scannen voor de zekerheid, maar ik geloof dat ik het kwijt ben.
[
Voor 4% gewijzigd door
Verwijderd op 10-06-2004 10:05
]
/u/91594/crop670f840bd8665_cropped.png?f=community)
:strip_icc():strip_exif()/u/25053/stig3got.jpg?f=community)
:strip_exif()/u/25537/Gir-animated-70px.gif?f=community)
/u/21638/crop626ad1243c0f9_cropped.png?f=community)
:strip_exif()/u/8402/Untitled-2.gif?f=community)
is daar nog wat aan te doen (ik ken het bestand niet) of is het een uniek bestand per gebruiker/pc?:strip_icc():strip_exif()/u/48769/avatar_huis_winter.jpg?f=community){kind=avatar}
/u/43807/ZwartGat.png?f=community)
ik zit gigantisch in tijdnood met werk en zelfs als ik nog wilde proberen lukte het niet meer dankzij de fijna repair mode van winXP (crashed voordat ik ingelogd ben)