Hijack this log ..::ToM::..

schizo · 8 okt 2004

Ik heb mijn pc al meerdere malen gescand met ad-aware en met Bullet proof software spyware remover.
maar alle ad's blijven maar terug komen, dus heb nu hijack this een scan laten doen en dit is de uitkomst:

Logfile of HijackThis v1.97.7
Scan saved at 16:49:17, on 8-10-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\setver32.exe
C:\WINDOWS\System32\windowsupdate.exe
C:\WINDOWS\System32\scvhosting.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qautilec.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\wuam.exe
C:\WINDOWS\System32\vpc32.exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\anewntpm.exe
C:\windows\system32\winchr32.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Tom.WOONKAMER\Bureaublad\programma's\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\bobby.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [aut0 repair system] qautilec.exe
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\Run: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKLM\..\Run: [NT xPerfect] c:\windows\system32\frrdf8e\repcale.exe c:\windows\system32\frrdf8e\APC.exe
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [czjttj] C:\WINDOWS\System32\anewntpm.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winchr32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [aut0 repair system] qautilec.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [aut0 repair system] qautilec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Owygw] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Ueet] C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - HKCU\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Corel Network monitor worker (HKLM)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Corel Network monitor worker (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU)
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2520E2D-A8C2-478B-BD56-1323B174540A}: NameServer = 194.134.5.5 194.134.0.97

Ik hoop dat iemand mij kan helpen, want ik wordt helemaal gek van al die reclame pop-ups, daarbij kan ik sinds deze problemen ook niet meer op mijn hotmail account komen. Alvast bedankt voor jullie hulp.

H@ns · 9 okt 2004

Update naar HijackThis 1.98.2:

http://radiosplace.com

Download, update en draai de volgende programma's, het is aangeraden tussen elk programma even opnieuw op te starten.
- Ad Aware SE
>> zorg ervoor dat je eerst op "Check for Updates" klikt en daarna op "Connect" om de updates binnen te halen. Klik hierna op "Next", en dan op "Full System Scan".

- Spybot S&D
>> Update het door op "Search for Updates" te klikken, en waneer er updates beschikbaar zijn op "Download updates". Klik hierna op "Search & Destroy". Verwijder na de scan ALLEEN de RODE entries (die zijn standaard al aangevinkt).

- CWShredder
>> gebruik de FIX knop (dus NIET de Scan knop). Verwijder alles wat CWShredder vindt.

- CleanUp!
>> Spreekt voor zich, installeren en draaien. Klik op de knop "CleanUp!" om al je tijdelijke mappen te legen.

- Start hierna opnieuw op.

- Draai minstens 2 van deze online virusscans, met een reboot ertussen:

http://www.bitdefender.com/scan/licence.php
http://housecall.trendmicro.com/housecall/start_corp.asp
http://us.mcafee.com/root/mfs/default.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

- Start nogmaals opnieuw op, maak een nieuw logje aan met HijackThis, en post dat hier.

schizo · 13 okt 2004

definitieve hijackthislog

ik heb een aantal dagen geleden ook al een vraag geplaatst over mijn log file. ik moest toen een scan doen met vershillende programma's ik heb spybot s&d, CWShredder en ad aware gedraaid. ook heb ik twee online virus scans gedaan van bitdefender en macafee online. dit alles met een reboot ertussen. Nu heb ik dus mijn uiteindelijke hijack this logfile. en ik hoop dat iemand mij hiermee kan helpen

alvast bedankt!

Logfile of HijackThis v1.98.2
Scan saved at 12:50:26, on 13-10-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\setver32.exe
C:\WINDOWS\System32\windowsupdate.exe
C:\WINDOWS\System32\scvhosting.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\wuam.exe
C:\WINDOWS\System32\vpc32.exe
C:\WINDOWS\System32\anewntpm.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\egddlciyqya.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\qautilec.exe
C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Web_Rebates\WebRebates1.exe
c:\124782.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Documents and Settings\Tom.WOONKAMER\Bureaublad\programma's\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk

MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk

MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.nl/
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O4 - HKLM\..\Run: [aut0 repair system] qautilec.exe
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\Run: [NT xPerfect] c:\windows\system32\frrdf8e\repcale.exe c:\windows\system32\frrdf8e\APC.exe
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [czjttj] C:\WINDOWS\System32\anewntpm.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winchr32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKLM\..\Run: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [aut0 repair system] qautilec.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [aut0 repair system] qautilec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [Owygw] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Ueet] C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
O4 - HKCU\..\Run: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKCU\..\RunServices: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKCU\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...fb72d88b5ced:bcbeac9adb4287dd435f5ab0907ede44
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\MediaTicketsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2520E2D-A8C2-478B-BD56-1323B174540A}: NameServer = 194.134.5.5 194.134.0.97

H@ns · 13 okt 2004

Re: definitieve hijackthislog

Geplaatst door schizo

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html

R3 - Default URLSearchHook is missing

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteBar\ELITEB~1.DLL

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteBar\ELITEB~1.DLL

O4 - HKLM\..\Run: [aut0 repair system] qautilec.exe
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\Run: [NT xPerfect] c:\windows\system32\frrdf8e\repcale.exe c:\windows\system32\frrdf8e\APC.exe
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [czjttj] C:\WINDOWS\System32\anewntpm.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winchr32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKLM\..\Run: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [aut0 repair system] qautilec.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Task Manager System] taskmgr32.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [aut0 repair system] qautilec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKCU\..\Run: [Owygw] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Ueet] C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
O4 - HKCU\..\Run: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKCU\..\RunServices: [Microsoft Macro Protection Subsystems] egddlciyqya.exe
O4 - HKCU\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {61FA8A61-B6E2-4F64-BEB1-CC8B81197375} - (no file) (HKCU)

O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...fb72d88b5ced:bcbeac9adb4287dd435f5ab0907ede44
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\MediaTicketsInstaller.cab

Er is nog steeds afschuwelijk veel rotzooi in je PC. Volg onderstaande instructies nauwgezet op...

Ga naar Deze Computer, dubbelklik daar op C. Dubbelklik op Program Files. Klik nu op "Bestand" > "Nieuw" > "Map". Noem deze map HJT of HijackThis. Plaats nu de HijackThis.exe in DIE map. Draai in het vervolg HijackThis vanuit DIE map

. Dit in verband met de backups die dit programma maakt

1. Vink bovenstaande aan in HijackThis, sluit alle andere vensters en browsers, en klik op Fix Checked.

2. Start opnieuw op in veilige modus.
Zorg ervoor dat verborgen bestanden en mappen zichtbaar zijn: Verkenner > Extra > Mapopties > Tablad Weergave > scroll naar beneden en vink het vakje voor "Verborgen bestanden en mappen weergeven" aan.

Verwijder, in veilige modus:
Mappen
C:\Program Files\Web_Rebates
C:\Program Files\ISTsvc
c:\windows\180solutions
c:\windows\system32\frrdf8e
C:\Program Files\Windows SyncroAd
C:\WINDOWS\EliteBar
C:\spe

Bestanden
C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\System32\anewntpm.exe
C:\windows\system32\winchr32.exe

3. Ga naar Start - Uitvoeren en typ daar in:
%TEMP%
Klik op OK.
Verwijder nu ALLES wat in deze map staat. Niet de map zelf dus, maar alles wat er IN zit.

4. Start opnieuw op in normale modus.

5. Draai minstens 2 van deze online virusscans, met een reboot ertussen:

- http://www.bitdefender.com/scan/licence.php
- http://housecall.trendmicro.com/housecall/start_corp.asp
- http://us.mcafee.com/root/mfs/default.asp
- http://www.pandasoftware.com/activescan/com/activescan_principal.htm

6. Start opnieuw op.

7. Maak een nieuw logje aan, en post dat hier

schizo · 14 okt 2004

volgende stap

iig alvast onwijs bedankt voor de hulp!!!

ik heb alle stappen gevolgd, alleen kon ik nadat ik met hjt de aangegeven bestanden "gefixed" had de volgende stap niet helemaal uitvoeren.
ik moest een aantal mappen verwijderen en een aantal losse bestanden. dat ging in principe goed behalve:

C:\Documents and Settings\Tom.WOONKAMER\Application Data\thip.exe
C:\WINDOWS\system32\shdocpe.dll

zijn niet aanwezig, dus kon ze ook niet verwijderen.

verder heb ik alle stappen ondernomen. en is dit mijn nieuwe hjt logfile.

Logfile of HijackThis v1.98.2
Scan saved at 13:37:14, on 14-10-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\?hkdsk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {3FFC4402-961A-74E6-D752-64550DF2794D} - C:\WINDOWS\System32\zswm.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winchr32.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2520E2D-A8C2-478B-BD56-1323B174540A}: NameServer = 194.134.5.5 194.134.0.97

H@ns · 14 okt 2004

Re: volgende stap

Geplaatst door schizo

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

O2 - BHO: (no name) - {3FFC4402-961A-74E6-D752-64550DF2794D} - C:\WINDOWS\System32\zswm.dll

O4 - HKLM\..\Run: [[Ephemeral 2.4] by TreeHugger, ] C:\DOCUME~1\TOM~1.WOO\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winchr32.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe

Hoi Schizo,

1. Vink bovenstaande aan in HijackThis, sluit alle andere vensters en browsers, en klik op Fix Checked.

2. Start opnieuw op in veilige modus.
Zorg ervoor dat verborgen bestanden en mappen zichtbaar zijn: Verkenner > Extra > Mapopties > Tablad Weergave > scroll naar beneden en vink het vakje voor "Verborgen bestanden en mappen weergeven" aan.

Verwijder, in veilige modus:
C:\windows\system32\winchr32.exe << bestand

Ga naar Start - Uitvoeren en typ daar in:
%TEMP%
Klik op OK.
Verwijder nu ALLES wat in deze map staat. Niet de map zelf dus, maar alles wat er IN zit.

3. Start opnieuw op in normale modus, maak een nieuw logje aan met HijackThis, en post dat hier

Hijack this log ..::ToM::..

schizo

Nieuwe gebruiker

H@ns

Terugkerende gebruiker

schizo

Nieuwe gebruiker

H@ns

Terugkerende gebruiker

schizo

Nieuwe gebruiker

H@ns

Terugkerende gebruiker

Nieuwste berichten

Wij waarderen jouw privacy