annelies is ook besmet

[puppie]

Hoi,

Wij hebben het lang kunnen tegen houden maar helaas zijn er nu ook enkele computers bij ons besmet met spyware.
Hier is 1 log en daar komt steeds vervelende pop-up naar voren plus de startpagina van de internet explore wijzigd steeds.
gescand met ad-aware se

Logfile of HijackThis v1.98.2
Scan saved at 15:59:16, on 02-12-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\NORMAN\nvc\bin\Zanda.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\soundman.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\WINNT\system32\m2gr32.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINNT\system32\internat.exe
C:\WinZip\WZQKPICK.EXE
C:\koppie\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NV Enschedese Zwembaden.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINNT\system32\IEHelper.dll
O2 - BHO: NBHO1 Class - {53F53E00-4C2B-43E5-8AF0-D3C863E8FC65} - C:\Program Files\Danware Data\NetOp School\STUDENT\NBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINNT\system32\m2gr32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aquadrome.lokaal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aquadrome.lokaal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aquadrome.lokaal

 

[buffy]

Dit is de allernieuwste variant van MS-Connect. Eerder vandaag zag ik deze voor het eerst.
Verwijderen is gelukkig niet al te moeilijk.


1. Scan met HijackThis en vink de volgende items aan:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html

O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINNT\system32\IEHelper.dll

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.6.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINNT\system32\m2gr32.exe

Sluit alle vensters behalve HijackThis zelf en klik op "Fix checked".

2. Herstart de pc in veilige modus.
Zorg ervoor dat verborgen bestanden worden weergegeven.

Verwijder:

C:\WINNT\system32\m2gr32.exe <- dat bestand
C:\Program Files\EnterOne <- die map
C:\Program Files\Hotbar <- die map (indien nog aanwezig)

3. Herstart de pc in 'normale modus'.

4. Maak een nieuw log en plaats dat hier.

 

[puppie]

tweede log

Hier is dan de tweede log.
Helaas heb ik niet in de veilige modus kunnen werken.
Ik werk van afstand en dan heb ik geen netwerkverbinding in de veilige modus.

Logfile of HijackThis v1.98.2
Scan saved at 18:40:22, on 02-12-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\NORMAN\nvc\bin\Zanda.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\soundman.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\internat.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WinZip\WZQKPICK.EXE
C:\koppie\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = NV Enschedese Zwembaden.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NBHO1 Class - {53F53E00-4C2B-43E5-8AF0-D3C863E8FC65} - C:\Program Files\Danware Data\NetOp School\STUDENT\NBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aquadrome.lokaal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aquadrome.lokaal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aquadrome.lokaal

 

[buffy]

Re: tweede log

Geplaatst door puppie
Helaas heb ik niet in de veilige modus kunnen werken.

Zo te zien is het toch verwijderd.

 

[puppie]

En mag ik jou dan weer heel hartelijk bedanken.


BEDANKT.