tofelo

Ok! Bedankt!

Als ik sptd.sys probeer te uploaden naar Jotti, krijg ik de volgende feedback: 'Bestand is leeg (0 bytes)!' Als ik met windows explorer de eigenschapen van sptd.sys bekijk, zie ik dat het wel degelijk 704 Kb is. Het vreemde is dat er ook een bestand sptd.svs met dezelfde grootte naast staat. Die kan ik wel uploaden naar Jotti, is niet besmet. Groeten, Tofelo

Ok, ik heb nu gescand met Hitman pro en AVG. Die vinden allebei niets meer! Moet ik nog verdere stappen ondernemen tegen suspicious sptd.sys? In ieder geval heel erg bedankt voor alle tips tot nu toe! Groet, Tofelo

Rootkit lijkt verwijderd door TDSSkiller TDSSkiller blijft een suspicious object vinden: sptd.sys Ga zodirect scannen met Hitman pro en daarna AVG, kijken of die nog wat vinden. In attachment: eerste log TDSSkiller (report1.txt), log Combofix, tweede log TDSSkiller (report2.txt) report2.txt report.txt ComboFix2.txt

Heb inmiddels TDSSKiller.exe -l report.txt uitgevoerd. Vond een rootkit TDSS.tdl4 Nu Combofix draaien, post de logs zodra ik ze heb.

Beste kape, TDSSkiller.exe geeft een error: 'Valid command line parameters', met daaronder een lijst met toegestane parameters -l staat er wel bij -v staat niet bij de lijst met valid command line parameters Dan maar uitvoeren zonder -v? Ter info: Combofix werkt niet als AVG geïnstalleerd is, dus die moet ik steeds verwijderen voordat Combofix werkt. Groet, Tofelo

Hallo kape, AVG vind nog steeds Agent_r.XJ in svchost.exe en explorer.exe Kan ze niet verwijderen, 'object is niet toegankelijk'. Heb je nog meer tips? Bedankt alvast, Tofelo

Beste kape, Dank voor de snelle reactie! Heb Hijackthis en ComboFix uitgevoerd. Voor logs zie hieronder. Groet, Tofelo === ComboFix 11-01-22.01 - Tofelo 22-01-2011 22:44:53.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3070.2703 [GMT 1:00] Gestart vanuit: c:\documents and settings\Tofelo\Bureaublad\ComboFix.exe AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B} . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Tofelo\Application Data\install_pal c:\documents and settings\Tofelo\Application Data\uid_pal Besmet exemplaar van c:\windows\system32\Drivers\sptd.sys werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - Kitty ate it Besmet exemplaar van c:\windows\system32\Drivers\sptd.sys werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - Kitty ate it . (((((((((((((((((((( Bestanden Gemaakt van 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))) . 2011-01-22 21:36 . 2011-01-22 21:37 -------- d-----w- C:\32788R22FWJFW 2011-01-22 20:31 . 2011-01-22 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-01-22 14:58 . 2011-01-22 14:58 -------- d-----w- c:\documents and settings\Tofelo\Application Data\Malwarebytes 2011-01-22 14:57 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-22 14:57 . 2011-01-22 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-01-22 14:57 . 2011-01-22 14:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-22 14:57 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-02 14:35 . 2011-01-02 14:35 -------- d-----w- c:\program files\bol.com . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-18 18:15 . 2009-05-10 18:14 86016 ----a-w- c:\windows\system32\isign32.dll 2010-11-09 14:52 . 2003-04-08 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll 2010-11-06 00:23 . 2003-04-08 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:23 . 2003-04-08 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:23 . 2003-04-08 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:27 . 2004-08-04 07:55 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2003-04-08 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:09 . 2003-04-08 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 14:00 . 2003-04-08 12:00 1853440 ----a-w- c:\windows\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 39408] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056] "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-21 1797880] "RTHDCPL"="RTHDCPL.EXE" [2005-11-17 15600128] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Tofelo\Menu Start\Programma's\Opstarten\ SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-9-9 488728] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-7-7 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\guard32.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22-8-2009 11:28 721904] R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21-5-2009 14:16 101776] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [21-5-2009 14:16 31504] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [23-9-2009 6:44 2789672] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24-6-2010 15:41 92008] S2 gupdate1c9ece78225a338;Google Updateservice (gupdate1c9ece78225a338);c:\program files\Google\Update\GoogleUpdate.exe [14-6-2009 12:58 133104] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [23-9-2009 6:45 15656] . Inhoud van de 'Gedeelde Taken' map 2011-01-22 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-14 11:57] 2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 11:58] 2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 11:58] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uInternet Settings,ProxyOverride = *.local Trusted Zone: ing.nl DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab FF - ProfilePath - c:\documents and settings\Tofelo\Application Data\Mozilla\Firefox\Profiles\6f16sc0q.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com . - - - - ORPHANS VERWIJDERD - - - - AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe AddRemove-QcDrv - c:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2011-01-22 23:03 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover Windows 5.1.2600 Disk: SAMSUNG_HM121HI rev.LZ100-08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ABA6555]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8abac7b0]; MOV EAX, [0x8abac82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC4DAB8] 3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x8AC649E8] 5 ACPI[0xB9E65620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ABC7940] \Driver\atapi[0x8AC62908] -> IRP_MJ_CREATE -> 0x8ABA6555 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HM121HI_________________________LZ100-08#31534a31444a5030333939363132202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8ABA639B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'winlogon.exe'(744) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3944) c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\wscntfy.exe c:\windows\system32\WTablet\Wacom_TabletUser.exe c:\windows\RTHDCPL.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Voltooingstijd: 2011-01-22 23:20:24 - machine werd herstart ComboFix-quarantined-files.txt 2011-01-22 22:20 Pre-Run: 60.906.270.720 bytes beschikbaar Post-Run: 62.100.520.960 bytes beschikbaar - - End Of File - - DD855072C78867D38510A88641032778 === Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 23:58:28, on 22-1-2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242909971215 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Google Updateservice (gupdate1c9ece78225a338) (gupdate1c9ece78225a338) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- End of file - 7529 bytes

Beste mensen van PC-help forum, AVG detecteert op mijn PC het trojaanse paard Agent_r.XJ in de twee volgende bestanden: svchost.exe en explorer.exe Het lukt AVG niet om ze op te schonen of te verwijderen (melding 'bestanden niet toegankelijk') Ik heb Malwarebytes uitgevoerd, dat vond 5 (andere) geïnfecteerde bestanden en 1 geïnfecteerd register. Die zijn allemaal in quarantaine geplaatst en verwijderd. Na opnieuw AVG te hebben uitgevoerd, wordt nog steeds Agent_r.XJ gevonden in svchost.exe, explorer.exe en nu ook wcauclt.exe Wat kan ik nu het beste doen? Hijackthis-logfile heb ik hieronder bijgevoegd. Vriendelijke groet en alvast bedankt, Tofelo ==== Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 17:08:10, on 22-1-2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242909971215 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Google Updateservice (gupdate1c9ece78225a338) (gupdate1c9ece78225a338) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- End of file - 8581 bytes ---------- Post toegevoegd om 18:01 ---------- Vorige post was om 17:56 ---------- Excuus, ik was nog vergeten te melden: Onder de door Malwarebytes verwijderde bestanden bevond zich Palladium (een nep-virus-scanner?), waarvan ik ook allerlei pop-ups kreeg. Die pop-ups zijn nu wel verdwenen. Groet, Tofelo