Technical miracle
Technical miracle
- Lid geworden
- 18 mrt 2006
- Berichten
- 78
- Waarderingsscore
- 0
Hoi,
Helaas een vervolg op 'svchost.exe probleem' :frusty:
http://www.nationaalcomputerforum.nl/showthread.php?p=542538#post542538
Ik krijg weer een lading met svchost.exe en andere virusmeldingen via AVG.
Ik heb vanmiddag spybot en malwarebytes een aantal problemen laten oplossen maar ik ben er nog niet ben ik bang.
Hieronder de resultaten van Malwarebytes en HJT.
Het runnen van SDfix in de veilige modus lukte niet, er verschijnt eventjes een blauw scherm dat daarna weer verdwijnt, geen dos modus met instructies o.i.d.
Gr, TM
Malwarebytes' Anti-Malware 1.42
Database versie: 3440
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
10-1-2010 16:39:36
mbam-log-2010-01-10 (16-39-36).txt
Scan type: Snelle Scan
Objecten gescand: 97591
Verstreken tijd: 20 minute(s), 18 second(s)
Geheugenprocessen genfecteerd: 0
Geheugenmodulen genfecteerd: 0
Registersleutels genfecteerd: 0
Registerwaarden genfecteerd: 2
Registerdata bestanden genfecteerd: 0
Mappen genfecteerd: 0
Bestanden genfecteerd: 5
Geheugenprocessen genfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen genfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels genfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden genfecteerd:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrec75dnd7 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\losalamos (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registerdata bestanden genfecteerd:
(Geen kwaadaardige items gevonden)
Mappen genfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden genfecteerd:
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Temp\b.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\c.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\sshnas.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:10, on 10-1-2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
c:\windows\system32\dwm.exe
c:\windows\explorer.exe
c:\windows\system32\taskhost.exe
c:\program files\security\avgtray.exe
c:\windows\system32\igfxtray.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\program files\officemicrosoft office\office12\groovemonitor.exe
c:\program files\synaptics\syntp\syntpenh.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\office\goodsync\goodsync.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\synaptics\syntp\syntphelper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\common files\ahead\lib\nmindexstoresvr.exe
c:\program files\office\mozilla\firefox.exe
c:\program files\office\spss\spss.exe
c:\program files\office\adobe\reader\acrord32.exe
c:\program files\officemicrosoft office\office12\winword.exe
c:\program files\security\avgcsrvx.exe
c:\program files\entertainment\winamp\winamp.exe
c:\program files\security\trend micro\hijackthis\problemen.exe
r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r0 - hklm\software\microsoft\internet explorer\search,searchassistant =
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: wormradar.com iesiteblocker.navfilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\security\avgssie.dll
o2 - bho: groove gfs browser helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\officemicrosoft office\office12\grooveshellextensions.dll
o4 - hklm\..\run: [avg9_tray] c:\progra~1\security\avgtray.exe
o4 - hklm\..\run: [igfxtray] c:\windows\system32\igfxtray.exe
o4 - hklm\..\run: [hotkeyscmds] c:\windows\system32\hkcmd.exe
o4 - hklm\..\run: [persistence] c:\windows\system32\igfxpers.exe
o4 - hklm\..\run: [groovemonitor] c:\program files\officemicrosoft office\office12\groovemonitor.exe
o4 - hklm\..\run: [nerofiltercheck] c:\program files\common files\ahead\lib\nerocheck.exe
o4 - hklm\..\run: [syntpenh] c:\program files\synaptics\syntp\syntpenh.exe
o4 - hklm\..\run: [adobe reader speed launcher] c:\program files\office\adobe\reader\reader_sl.exe
o4 - hklm\..\run: [adobe arm] c:\program files\common files\adobe\arm\1.0\adobearm.exe
o4 - hklm\..\run: [malwarebytes anti-malware (reboot)] c:\program files\security\malwarebytes' anti-malware\mbam.exe /runcleanupscript
o4 - hkcu\..\run: [goodsync] c:\program files\office\goodsync\goodsync.exe /min
o4 - hkcu\..\run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] c:\program files\common files\ahead\lib\nmbgmonitor.exe
o4 - hkus\s-1-5-19\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'local service')
o4 - hkus\s-1-5-19\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'local service')
o4 - hkus\s-1-5-20\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'network service')
o4 - hkus\s-1-5-20\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'network service')
o4 - global startup: vpn client.lnk = ?
o8 - extra context menu item: append link target to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappendsellinks.html
o8 - extra context menu item: e&xport to microsoft excel - res://c:\progra~1\office~1\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\office~1\office12\refiebar.dll
o13 - gopher prefix:
o18 - protocol: groovelocalgws - {88fed34c-f0ca-4636-a375-3cb6248b04cd} - c:\program files\officemicrosoft office\office12\groovesystemservices.dll
o18 - protocol: linkscanner - {f274614c-63f8-47d5-a4d1-fbdde494f8d1} - c:\program files\security\avgpp.dll
o20 - appinit_dlls: avgrsstx.dll
o23 - service: avg free e-mail scanner (avg9emc) - avg technologies cz, s.r.o. - c:\program files\security\avgemc.exe
o23 - service: avg free watchdog (avg9wd) - avg technologies cz, s.r.o. - c:\program files\security\avgwdsvc.exe
o23 - service: cisco systems, inc. vpn service (cvpnd) - cisco systems, inc. - c:\program files\office\vpn\cvpnd.exe
o23 - service: nmindexingservice - nero ag - c:\program files\common files\ahead\lib\nmindexingservice.exe
o23 - service: sbsd security center service (sbsdwscservice) - safer networking ltd. - c:\program files\security\spybot - search & destroy\sdwinsec.exe
--
end of file - 5692 bytes
[/hjt]
Helaas een vervolg op 'svchost.exe probleem' :frusty:
http://www.nationaalcomputerforum.nl/showthread.php?p=542538#post542538
Ik krijg weer een lading met svchost.exe en andere virusmeldingen via AVG.
Ik heb vanmiddag spybot en malwarebytes een aantal problemen laten oplossen maar ik ben er nog niet ben ik bang.
Hieronder de resultaten van Malwarebytes en HJT.
Het runnen van SDfix in de veilige modus lukte niet, er verschijnt eventjes een blauw scherm dat daarna weer verdwijnt, geen dos modus met instructies o.i.d.
Gr, TM
Malwarebytes' Anti-Malware 1.42
Database versie: 3440
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
10-1-2010 16:39:36
mbam-log-2010-01-10 (16-39-36).txt
Scan type: Snelle Scan
Objecten gescand: 97591
Verstreken tijd: 20 minute(s), 18 second(s)
Geheugenprocessen genfecteerd: 0
Geheugenmodulen genfecteerd: 0
Registersleutels genfecteerd: 0
Registerwaarden genfecteerd: 2
Registerdata bestanden genfecteerd: 0
Mappen genfecteerd: 0
Bestanden genfecteerd: 5
Geheugenprocessen genfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen genfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels genfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden genfecteerd:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrec75dnd7 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\losalamos (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registerdata bestanden genfecteerd:
(Geen kwaadaardige items gevonden)
Mappen genfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden genfecteerd:
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Temp\b.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\c.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\sshnas.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
[hjt]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:10, on 10-1-2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
c:\windows\system32\dwm.exe
c:\windows\explorer.exe
c:\windows\system32\taskhost.exe
c:\program files\security\avgtray.exe
c:\windows\system32\igfxtray.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\program files\officemicrosoft office\office12\groovemonitor.exe
c:\program files\synaptics\syntp\syntpenh.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\office\goodsync\goodsync.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\synaptics\syntp\syntphelper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\common files\ahead\lib\nmindexstoresvr.exe
c:\program files\office\mozilla\firefox.exe
c:\program files\office\spss\spss.exe
c:\program files\office\adobe\reader\acrord32.exe
c:\program files\officemicrosoft office\office12\winword.exe
c:\program files\security\avgcsrvx.exe
c:\program files\entertainment\winamp\winamp.exe
c:\program files\security\trend micro\hijackthis\problemen.exe
r1 - hkcu\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hkcu\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r1 - hklm\software\microsoft\internet explorer\main,search page = [noparse]http://go.microsoft.com/fwlink/?linkid=54896[/noparse]
r0 - hklm\software\microsoft\internet explorer\main,start page = [noparse]http://go.microsoft.com/fwlink/?linkid=69157[/noparse]
r0 - hklm\software\microsoft\internet explorer\search,searchassistant =
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
o2 - bho: acroiehelperstub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
o2 - bho: wormradar.com iesiteblocker.navfilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\security\avgssie.dll
o2 - bho: groove gfs browser helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\officemicrosoft office\office12\grooveshellextensions.dll
o4 - hklm\..\run: [avg9_tray] c:\progra~1\security\avgtray.exe
o4 - hklm\..\run: [igfxtray] c:\windows\system32\igfxtray.exe
o4 - hklm\..\run: [hotkeyscmds] c:\windows\system32\hkcmd.exe
o4 - hklm\..\run: [persistence] c:\windows\system32\igfxpers.exe
o4 - hklm\..\run: [groovemonitor] c:\program files\officemicrosoft office\office12\groovemonitor.exe
o4 - hklm\..\run: [nerofiltercheck] c:\program files\common files\ahead\lib\nerocheck.exe
o4 - hklm\..\run: [syntpenh] c:\program files\synaptics\syntp\syntpenh.exe
o4 - hklm\..\run: [adobe reader speed launcher] c:\program files\office\adobe\reader\reader_sl.exe
o4 - hklm\..\run: [adobe arm] c:\program files\common files\adobe\arm\1.0\adobearm.exe
o4 - hklm\..\run: [malwarebytes anti-malware (reboot)] c:\program files\security\malwarebytes' anti-malware\mbam.exe /runcleanupscript
o4 - hkcu\..\run: [goodsync] c:\program files\office\goodsync\goodsync.exe /min
o4 - hkcu\..\run: [bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}] c:\program files\common files\ahead\lib\nmbgmonitor.exe
o4 - hkus\s-1-5-19\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'local service')
o4 - hkus\s-1-5-19\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'local service')
o4 - hkus\s-1-5-20\..\run: [sidebar] %programfiles%\windows sidebar\sidebar.exe /autorun (user 'network service')
o4 - hkus\s-1-5-20\..\runonce: [mctadmin] c:\windows\system32\mctadmin.exe (user 'network service')
o4 - global startup: vpn client.lnk = ?
o8 - extra context menu item: append link target to existing pdf - res://c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll/acroieappendsellinks.html
o8 - extra context menu item: e&xport to microsoft excel - res://c:\progra~1\office~1\office12\excel.exe/3000
o9 - extra button: verzenden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra 'tools' menuitem: verz&enden naar onenote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - c:\progra~1\office~1\office12\onbttnie.dll
o9 - extra button: research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - c:\progra~1\office~1\office12\refiebar.dll
o13 - gopher prefix:
o18 - protocol: groovelocalgws - {88fed34c-f0ca-4636-a375-3cb6248b04cd} - c:\program files\officemicrosoft office\office12\groovesystemservices.dll
o18 - protocol: linkscanner - {f274614c-63f8-47d5-a4d1-fbdde494f8d1} - c:\program files\security\avgpp.dll
o20 - appinit_dlls: avgrsstx.dll
o23 - service: avg free e-mail scanner (avg9emc) - avg technologies cz, s.r.o. - c:\program files\security\avgemc.exe
o23 - service: avg free watchdog (avg9wd) - avg technologies cz, s.r.o. - c:\program files\security\avgwdsvc.exe
o23 - service: cisco systems, inc. vpn service (cvpnd) - cisco systems, inc. - c:\program files\office\vpn\cvpnd.exe
o23 - service: nmindexingservice - nero ag - c:\program files\common files\ahead\lib\nmindexingservice.exe
o23 - service: sbsd security center service (sbsdwscservice) - safer networking ltd. - c:\program files\security\spybot - search & destroy\sdwinsec.exe
--
end of file - 5692 bytes
[/hjt]