Helpmij tegen spyware offensief (deel 3)

**remcos** · 18 april 2004 15:51

hoi k heb problemen met run32.dll las op dit forum dat k het hier ff moest posten hoop dat het helpt alvast bedankt

Logfile of HijackThis v1.97.7
Scan saved at 15:41:24, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
\Markpc\g\Adobe Photoshp 5.5\Photoshop 5.5 Full Retail\Setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\BB (Belangrijke Bestanden)\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multikabel.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ne3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Multikabel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.multikabel.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] C:\Program Files\WashAndGo\checker.exe /check
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.multikabel.nl
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {1F20CF42-B381-4181-8C2A-A389B1022E6E} (Dialer.Class1) - http://www.ipxs.nl/php/fundate.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...038.1111805556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

**Pieter Arntz** · 18 april 2004 15:53

Geplaatst door stijn10
Ik krijg steeds post van mensen die volgens mij jouw moeten hebben.
Ik krijg nu zo een beetje 10 mails per dag met vragen en bedankjes over spyware.

Hoe kan dit?

stijn10,

Komen die mailtjes van Helpmij?
Zoja, dan staat er helemaal onderin een link om je af te melden. Klik daar maar op.

Groetjes,

Pieter

**Pieter Arntz** · 18 april 2004 15:56

Geplaatst door sneaky7

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.6.cab

Hoi sneaky7,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan je computer opnieuw op.

Groetjes,

Pieter

**Xiqum** · 18 april 2004 15:58

Mijn norton wil nog steeds niet goed openen, is het handig om een topic te openen elders op het forum?

**Pieter Arntz** · 18 april 2004 16:00

Geplaatst door Superspinnie

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [ansrcl] C:\WINDOWS\ansrcl.exe

O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\M & V\Application Data\nwlm.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe

Hoi superspinnie,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan je computer opnieuw op en verwijder:
C:\Program Files\ISTsvc <= de hele map
c:\program files\180solutions <= de hele map
C:\Program Files\Power Scan <= de hele map
C:\Documents and Settings\M & V\Application Data\nwlm.exe
C:\WINDOWS\System32\wapisvsu.exe

Groetjes,

Pieter

**Cornelis Bos** · 18 april 2004 16:05

Heb gisteren ADSL geinstalleerd en via vrienden deze site opgegeven gekregen. Heb last van spyware en heb volgens jullie aanbevelingen Ad-aware 6.x + Hijack-this gedownload en gerund.

Kunnen jullie helpen (dit is mijn eerste bericht)?
Alvast bedankt!

De log van Hijack this luidt als volgt:

Logfile of HijackThis v1.97.7
Scan saved at 15:24:52, on 18-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\windows\redirect7.exe
C:\Program Files\Conexant\CnxDslTb.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Cornelis Bos\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
O1 - Hosts: 213.222.11.11 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &RSDN Search - res://c:\windows\toolbar_nieuw14.dll/GoRSDN.dll.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab

**Pieter Arntz** · 18 april 2004 16:06

Geplaatst door driverv

O2 - BHO: (no name) - {20A73CA1-4C3A-BC2B-2E58-866C18E6397D} - C:\PROGRA~1\BOWSMA~1\Setup Site.dll

O3 - Toolbar: plus sect - {E08E37A7-6F93-732C-D6F7-E9831820DF8E} - C:\PROGRA~1\BOWSMA~1\Setup Site.dll

O4 - HKLM\..\Run: [vga browse] C:\PROGRA~1\COALAI~1\idle view.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013f4116...p/RdxIE601.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Hoi driverv,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan je computer opnieuw op in veilige modus en verwijder:
C:\Program Files\BOWSMA~1 <= de hele map met daarin het bestand Setup Site.dll
C:\Program Files\COALAI~1 <= de hele map met daarin het bestand idle view.exe
C:\Program Files\AutoUpdate <= de hele map

Groetjes,

Pieter

**Pieter Arntz** · 18 april 2004 16:08

Geplaatst door Xiqum

Mijn istbar had hij gevonden in mijn system restore nou had ik gevonden dat ik deze aan en uit moest zetten. Zo gezegd zo gedaan, en heb er geen melding van gehad maar mijn norton deed het nog niet. Ik ga nu avg eraf gooien en norton maar proberen.

Beide beslissingen.

Groetjes,

Pieter

**Allard** · 18 april 2004 16:12

He, ik heb nog steeds last van dat spy ongedierte.. ik heb net adaware gerund...en alles gedelete...hierna hijack this gerund... hier is mijn log:

Logfile of HijackThis v1.97.7
Scan saved at 16:05:30, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System\winspool.exe
C:\docume~1\eigenaar\applic~1\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Bureaublad\Nieuwe map\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\hipcaagh.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe
O4 - Startup: Microsoft Data Helper.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://little-flowers-pussy.com/ebook.chm::/loader.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

bedankt alvast

**Pieter Arntz** · 18 april 2004 16:13

Geplaatst door remcos

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ne3.hpwis.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {1F20CF42-B381-4181-8C2A-A389B1022E6E} (Dialer.Class1) - http://www.ipxs.nl/php/fundate.CAB

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx

Hoi remcos,

Wil jij dit bestandje svp naar mij opsturen voor je met de rest begint?
C:\WINDOWS\System32\pdfupd.dll
=><=

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter

**Pieter Arntz** · 18 april 2004 16:14

Geplaatst door Xiqum
Mijn norton wil nog steeds niet goed openen, is het handig om een topic te openen elders op het forum?

Even in het Antivirus software forum, lijkt mij:
http://www.helpmij.nl/forum/forumdis...hp?forumid=204

Succes,

Pieter

**Pieter Arntz** · 18 april 2004 16:20

Geplaatst door Cornelis Bos

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
O1 - Hosts: 213.222.11.11 auto.search.msn.com

O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll

O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe

O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe

O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

O8 - Extra context menu item: &RSDN Search - res://c:\windows\toolbar_nieuw14.dll/GoRSDN.dll.htm

O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab

Hallo Cornelis Bos,

Welkom op Helpmij.

Voor je begint wil ik je aanraden om HijackThis naar een aparte map uit te pakken. Het programma maakt backups in de map waar het staat en
zoals jij het nu draait (uit de zipmap) gaat dat niet.

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\windows\easywww2.exe
C:\windows\redirect7.exe
wuamgrd.exe

Groetjes,

Pieter

**Pieter Arntz** · 18 april 2004 16:25

Geplaatst door Allard

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\hipcaagh.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://little-flowers-pussy.com/ebook.chm::/loader.exe

Hoi Allard,

Dit log komt me heel erg bekend voor. Kan dat?
Het is in ieder geval een trrojan festijn van jewelste.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Documents and Settings\Eigenaar\Application Data\svchost.exe
C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe
C:\WINDOWS\System\winspool.exe
C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64 <= de hele map

Post een nieuw log als je klaar bent.

Groetjes,

Pieter

**Allard** · 18 april 2004 16:50

Beste Pieter...

Ik had idd vorige week al wat gepost..maar moest toen onverhoopt weg...

Ik heb gedaan wat je zei, maar ik kan niet alle bestanden vinden om te verwijderen:

C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe

die kan ik dus gewoon niet vinden..ik heb verborgen bestanden aangezet bij de mapopties...

**chrispie** · 18 april 2004 16:56

Hallo,

mijn problemen :
- start-pagina niet meer te wijzigen
- bepaalde functies werken niet meer : scherm verdwijnt direct
* klok goedzetten
* Add/Remove programs
* restore punt zetten (ik heb windows XP)
- Trojan/virus alert : "Exploit-Codebase" : bestand niet te cleanen of verwijderen.

Ik heb reeds volgende handelingen uitgevoerd : Spybot S&D en Adware6.

Ten einde raad een hijackthis-log aangemaakt : ziehier het resultaat :

Logfile of HijackThis v1.97.7
Scan saved at 13:00:46, on 17/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\KMaestro\Key_e.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\llass.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\reg33.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\5-1-25-85.exe
C:\windows\5-1-35-16.exe
C:\windows\5-1-25-224.exe
C:\WINDOWS\AddCLS.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\System32\svchost.exe
D:\My Documents\Chrispie\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sex-family.net/sherbook/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [5-1-25-85] c:\windows\5-1-25-85.exe -m
O4 - HKCU\..\Run: [5-1-25-331] c:\program files\Webdialer\5-1-25-331.exe -m
O4 - HKCU\..\Run: [5-1-35-16] c:\windows\5-1-35-16.exe -m
O4 - HKCU\..\Run: [60-1-1-177] c:\windows\60-1-1-177.exe -m
O4 - HKCU\..\Run: [5-1-61-22] c:\windows\5-1-61-22.exe -m
O4 - HKCU\..\Run: [5-1-61-59] c:\program files\Webdialer\5-1-61-59.exe -m
O4 - HKCU\..\Run: [5-2-145-59] c:\program files\Webdialer\5-2-145-59.exe -m
O4 - HKCU\..\Run: [5-2-100-8] c:\program files\Webdialer\5-2-100-8.exe -m
O4 - HKCU\..\Run: [5-4-30-383] c:\program files\Webdialer\5-4-30-383.exe -m
O4 - HKCU\..\Run: [5-2-145-36] c:\program files\Webdialer\5-2-145-36.exe -m
O4 - HKCU\..\Run: [5-2-109-28] c:\program files\Webdialer\5-2-109-28.exe -m
O4 - HKCU\..\Run: [5-2-145-21] c:\program files\Webdialer\5-2-145-21.exe -m
O4 - HKCU\..\Run: [5-2-109-124] c:\program files\Webdialer\sex_collection.exe -m
O4 - HKCU\..\Run: [5-1-25-224] c:\windows\5-1-25-224.exe -m
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
O4 - HKCU\..\Run: [5-1-61-47] c:\program files\Webdialer\5-1-61-47.exe -m
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.learning-site.com/cimonli...ab/awswaxm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce7752669228...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - file://F:\Setup\tsccinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...231.1019560185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9E7D9AE-7AE6-4797-BAB8-5EB2CD663382}: NameServer = 195.238.2.21 195.238.2.22

Wie kan mij helpen ?

**Pieter Arntz** · 18 april 2004 17:20

Geplaatst door Allard
Beste Pieter...

Ik had idd vorige week al wat gepost..maar moest toen onverhoopt weg...

Ik heb gedaan wat je zei, maar ik kan niet alle bestanden vinden om te verwijderen:

C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe

die kan ik dus gewoon niet vinden..ik heb verborgen bestanden aangezet bij de mapopties...

Hoi Allard,

Post nog even een nieuw log voor de zekerheid.

Groetjes,

Pieter

**Raisa** · 18 april 2004 17:22

Geplaatst door Pieter Arntz

Hoi Raisa,

System32 Folder Opens When Logging on to Windows XP, Windows 2000, or Windows NT 4.0

Het log is schoon nu en als toolbar.dll niet te vinden is dan is hij weg.

Groetjes,

Pieter

Bedankt Pieter voor de deskundige hulp...

De groetjes,
Raisa

**Allard** · 18 april 2004 17:23

Hier is hij....

Logfile of HijackThis v1.97.7
Scan saved at 17:16:43, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eigenaar\Bureaublad\Nieuwe map\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

**Pieter Arntz** · 18 april 2004 17:27

Geplaatst door chrispie

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sex-family.net/sherbook/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@<a href="htt...cc/search/</a> (obfuscated)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe

O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe

O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe

O4 - HKCU\..\Run: [5-1-25-85] c:\windows\5-1-25-85.exe -m
O4 - HKCU\..\Run: [5-1-25-331] c:\program files\Webdialer\5-1-25-331.exe -m
O4 - HKCU\..\Run: [5-1-35-16] c:\windows\5-1-35-16.exe -m
O4 - HKCU\..\Run: [60-1-1-177] c:\windows\60-1-1-177.exe -m
O4 - HKCU\..\Run: [5-1-61-22] c:\windows\5-1-61-22.exe -m
O4 - HKCU\..\Run: [5-1-61-59] c:\program files\Webdialer\5-1-61-59.exe -m
O4 - HKCU\..\Run: [5-2-145-59] c:\program files\Webdialer\5-2-145-59.exe -m
O4 - HKCU\..\Run: [5-2-100-8] c:\program files\Webdialer\5-2-100-8.exe -m
O4 - HKCU\..\Run: [5-4-30-383] c:\program files\Webdialer\5-4-30-383.exe -m
O4 - HKCU\..\Run: [5-2-145-36] c:\program files\Webdialer\5-2-145-36.exe -m
O4 - HKCU\..\Run: [5-2-109-28] c:\program files\Webdialer\5-2-109-28.exe -m
O4 - HKCU\..\Run: [5-2-145-21] c:\program files\Webdialer\5-2-145-21.exe -m
O4 - HKCU\..\Run: [5-2-109-124] c:\program files\Webdialer\sex_collection.exe -m
O4 - HKCU\..\Run: [5-1-25-224] c:\windows\5-1-25-224.exe -m
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
O4 - HKCU\..\Run: [5-1-61-47] c:\program files\Webdialer\5-1-61-47.exe -m

O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce7752669228...p/RdxIE601.cab

Hoi chrispie,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\system32\llass.exe <= LET GOED OP de spelling. NIET lsass.exe verwijderen.
C:\WINDOWS\reg33.exe
C:\windows\5-1-25-85.exe
C:\windows\5-1-35-16.exe
C:\windows\5-1-25-224.exe

Wil je me het volgende bestandje mailen?
C:\WINDOWS\AddCLS.exe
=><=

Groetjes,

Pieter

**Pieter Arntz** · 18 april 2004 17:29

Geplaatst door Allard

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe

Hoi Allard,

Fix de bovenstaande, start opnieuw op en run HijackThis opnieuw. Als ze deze keer wegblijven is het goed.
Anders moeten we even wat anders verzinnen.

Groetjes,

Pieter

onderwerp: Helpmij tegen spyware offensief (deel 3)

Vraag is opgelost

Onderwerp opties

Zoek in onderwerp

Re: verkeerde post

Re: 1000x excuus ik leer traag

Re: Help vervelende homepage internet

mijn hijacklog

Re: mijn hijacklog

Berichtenregels

Reclame links

Helpmij.nl

Helpmij.nl en business

Contact