Technical miracle
Technical miracle
- Lid geworden
- 18 mrt 2006
- Berichten
- 78
- Waarderingsscore
- 0
Hoi,
Ik ben nu al meer dan een dag bezig met een virus wat ik niet verwijderd krijg.Hopelijk kan een van jullie mij hiermee helpen. Ik krijg namelijk om de 10 min een waarschuwing van avg dat het virus svchost.exe is aangetroffen. Ik met een aantal tools geprobeerd de Temp map te legen
maar het virus blijft hardnekkig doorgaan. Heb verder alle voorgeschreven stappen van het forum doorlopen maar het virus krijg ik niet verwijderd. Hieronder een HJT log en de melding van AVG, hopelijk weet iemand de oplossing.
Alvast bedankt!
Bestandstandsnaam: C:\Windows\Temp\iwi.tmp\svchost.exe
Bedreiging naam: Mogelijk geinfecteerd met een onbekend virus Win32\DH.BA
Procesnaam: C:\Windows\System32\svchost.exe
Proces-ID: 640
[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:52, on 27-12-2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
c:\windows\system32\dwm.exe
c:\windows\system32\taskhost.exe
c:\windows\explorer.exe
c:\program files\security\avgtray.exe
c:\windows\system32\igfxtray.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\program files\officemicrosoft office\office12\groovemonitor.exe
c:\program files\office\adobe\acrobat\acrobat_sl.exe
c:\program files\office\adobe\acrobat\acrotray.exe
c:\program files\synaptics\syntp\syntpenh.exe
c:\program files\office\goodsync\goodsync.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\office\mozilla\firefox.exe
c:\program files\common files\ahead\lib\nmindexstoresvr.exe
c:\program files\synaptics\syntp\syntphelper.exe
c:\program files\entertainment\sabnzbd\sabnzbd.exe
c:\windows\system32\searchfilterhost.exe
c:\program files\security\trend micro\hijackthis\hijackthis.exe
r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r0 - hklm\software\microsoft\internet explorer\search,searchassistant =
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: wormradar.com iesiteblocker.navfilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\security\avgssie.dll
o2 - bho: groove gfs browser helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\officemicrosoft office\office12\grooveshellextensions.dll
o2 - bho: adobe pdf conversion toolbar helper - {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o2 - bho: smartselect - {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o3 - toolbar: adobe pdf - {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o4 - hklm\..\run: [avg9_tray] c:\progra~1\security\avgtray.exe
o4 - hklm\..\run: [igfxtray] c:\windows\system32\igfxtray.exe
o4 - hklm\..\run: [hotkeyscmds] c:\windows\system32\hkcmd.exe
o4 - hklm\..\run: [persistence] c:\windows\system32\igfxpers.exe
o4 - hklm\..\run: [groovemonitor] c:\program files\officemicrosoft office\office12\groovemonitor.exe
o4 - hklm\..\run: [adobe acrobat speed launcher] c:\program files\office\adobe\acrobat\acrobat_sl.exe
o4 - hklm\..\run: [acrobat assistant 8.0] c:\program files\office\adobe\acrobat\acrotray.exe
o4 - hklm\..\run: [nerofiltercheck] c:\program files\common files\ahead\lib\nerocheck.exe
o4 - hklm\..\run: [syntpenh] c:\program files\synaptics\syntp\syntpenh.exe
o4 - hkcu\..\run: [goodsync] c:\program files\office\goodsync\goodsync.exe /min
o4 - hkcu\..\run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] c:\program files\common files\ahead\lib\nmbgmonitor.exe
o4 - hkus\s-1-5-19\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'local service')
o4 - hkus\s-1-5-19\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'local service')
o4 - hkus\s-1-5-20\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'network service')
o4 - hkus\s-1-5-20\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'network service')
o4 - hkus\s-1-5-18\..\run: [cbssreg] c:\windows\temp\vipq.tmp\svchost.exe (user 'system')
o4 - hkus\.default\..\run: [cbssreg] c:\windows\temp\vipq.tmp\svchost.exe (user 'default user')
o4 - global startup: vpn client.lnk = ?
o8 - extra context menu item: append link target to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappendsellinks.html
o8 - extra context menu item: append to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappend.html
o8 - extra context menu item: convert link target to adobe pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroiecapturesellinks.html
o8 - extra context menu item: convert to adobe pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroiecapture.html
o8 - extra context menu item: e&xport to microsoft excel - res://c:\progra~1\office~1\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\office~1\office12\refiebar.dll
o13 - gopher prefix:
o18 - protocol: groovelocalgws - {88fed34c-f0ca-4636-a375-3cb6248b04cd} - c:\program files\officemicrosoft office\office12\groovesystemservices.dll
o18 - protocol: linkscanner - {f274614c-63f8-47d5-a4d1-fbdde494f8d1} - c:\program files\security\avgpp.dll
o20 - appinit_dlls: avgrsstx.dll
o23 - service: avg free e-mail scanner (avg9emc) - avg technologies cz, s.r.o. - c:\program files\security\avgemc.exe
o23 - service: avg free watchdog (avg9wd) - avg technologies cz, s.r.o. - c:\program files\security\avgwdsvc.exe
o23 - service: cisco systems, inc. vpn service (cvpnd) - cisco systems, inc. - c:\program files\office\vpn\cvpnd.exe
o23 - service: flexnet licensing service - macrovision europe ltd. - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
o23 - service: nmindexingservice - nero ag - c:\program files\common files\ahead\lib\nmindexingservice.exe
o23 - service: sbsd security center service (sbsdwscservice) - safer networking ltd. - c:\program files\security\spybot - search & destroy\sdwinsec.exe
--
end of file - 6786 bytes
[/hjt]
Ik ben nu al meer dan een dag bezig met een virus wat ik niet verwijderd krijg.Hopelijk kan een van jullie mij hiermee helpen. Ik krijg namelijk om de 10 min een waarschuwing van avg dat het virus svchost.exe is aangetroffen. Ik met een aantal tools geprobeerd de Temp map te legen
maar het virus blijft hardnekkig doorgaan. Heb verder alle voorgeschreven stappen van het forum doorlopen maar het virus krijg ik niet verwijderd. Hieronder een HJT log en de melding van AVG, hopelijk weet iemand de oplossing.
Alvast bedankt!
Bestandstandsnaam: C:\Windows\Temp\iwi.tmp\svchost.exe
Bedreiging naam: Mogelijk geinfecteerd met een onbekend virus Win32\DH.BA
Procesnaam: C:\Windows\System32\svchost.exe
Proces-ID: 640
[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:52, on 27-12-2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
c:\windows\system32\dwm.exe
c:\windows\system32\taskhost.exe
c:\windows\explorer.exe
c:\program files\security\avgtray.exe
c:\windows\system32\igfxtray.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\program files\officemicrosoft office\office12\groovemonitor.exe
c:\program files\office\adobe\acrobat\acrobat_sl.exe
c:\program files\office\adobe\acrobat\acrotray.exe
c:\program files\synaptics\syntp\syntpenh.exe
c:\program files\office\goodsync\goodsync.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\office\mozilla\firefox.exe
c:\program files\common files\ahead\lib\nmindexstoresvr.exe
c:\program files\synaptics\syntp\syntphelper.exe
c:\program files\entertainment\sabnzbd\sabnzbd.exe
c:\windows\system32\searchfilterhost.exe
c:\program files\security\trend micro\hijackthis\hijackthis.exe
r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r0 - hklm\software\microsoft\internet explorer\search,searchassistant =
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: wormradar.com iesiteblocker.navfilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\security\avgssie.dll
o2 - bho: groove gfs browser helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\officemicrosoft office\office12\grooveshellextensions.dll
o2 - bho: adobe pdf conversion toolbar helper - {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o2 - bho: smartselect - {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o3 - toolbar: adobe pdf - {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
o4 - hklm\..\run: [avg9_tray] c:\progra~1\security\avgtray.exe
o4 - hklm\..\run: [igfxtray] c:\windows\system32\igfxtray.exe
o4 - hklm\..\run: [hotkeyscmds] c:\windows\system32\hkcmd.exe
o4 - hklm\..\run: [persistence] c:\windows\system32\igfxpers.exe
o4 - hklm\..\run: [groovemonitor] c:\program files\officemicrosoft office\office12\groovemonitor.exe
o4 - hklm\..\run: [adobe acrobat speed launcher] c:\program files\office\adobe\acrobat\acrobat_sl.exe
o4 - hklm\..\run: [acrobat assistant 8.0] c:\program files\office\adobe\acrobat\acrotray.exe
o4 - hklm\..\run: [nerofiltercheck] c:\program files\common files\ahead\lib\nerocheck.exe
o4 - hklm\..\run: [syntpenh] c:\program files\synaptics\syntp\syntpenh.exe
o4 - hkcu\..\run: [goodsync] c:\program files\office\goodsync\goodsync.exe /min
o4 - hkcu\..\run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] c:\program files\common files\ahead\lib\nmbgmonitor.exe
o4 - hkus\s-1-5-19\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'local service')
o4 - hkus\s-1-5-19\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'local service')
o4 - hkus\s-1-5-20\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'network service')
o4 - hkus\s-1-5-20\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'network service')
o4 - hkus\s-1-5-18\..\run: [cbssreg] c:\windows\temp\vipq.tmp\svchost.exe (user 'system')
o4 - hkus\.default\..\run: [cbssreg] c:\windows\temp\vipq.tmp\svchost.exe (user 'default user')
o4 - global startup: vpn client.lnk = ?
o8 - extra context menu item: append link target to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappendsellinks.html
o8 - extra context menu item: append to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappend.html
o8 - extra context menu item: convert link target to adobe pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroiecapturesellinks.html
o8 - extra context menu item: convert to adobe pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroiecapture.html
o8 - extra context menu item: e&xport to microsoft excel - res://c:\progra~1\office~1\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\office~1\office12\refiebar.dll
o13 - gopher prefix:
o18 - protocol: groovelocalgws - {88fed34c-f0ca-4636-a375-3cb6248b04cd} - c:\program files\officemicrosoft office\office12\groovesystemservices.dll
o18 - protocol: linkscanner - {f274614c-63f8-47d5-a4d1-fbdde494f8d1} - c:\program files\security\avgpp.dll
o20 - appinit_dlls: avgrsstx.dll
o23 - service: avg free e-mail scanner (avg9emc) - avg technologies cz, s.r.o. - c:\program files\security\avgemc.exe
o23 - service: avg free watchdog (avg9wd) - avg technologies cz, s.r.o. - c:\program files\security\avgwdsvc.exe
o23 - service: cisco systems, inc. vpn service (cvpnd) - cisco systems, inc. - c:\program files\office\vpn\cvpnd.exe
o23 - service: flexnet licensing service - macrovision europe ltd. - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
o23 - service: nmindexingservice - nero ag - c:\program files\common files\ahead\lib\nmindexingservice.exe
o23 - service: sbsd security center service (sbsdwscservice) - safer networking ltd. - c:\program files\security\spybot - search & destroy\sdwinsec.exe
--
end of file - 6786 bytes
[/hjt]