Helpmij tegen spyware offensief (deel 3)

Status
Niet open voor verdere reacties.
Geplaatst door Joe Cool

C:\DOCUME~1\Werner\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper ***

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe ***

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/147f06d0aec8c6282215/netzip/RdxIE601.cab
Klik om te vergroten...

Hoi Joe Cool,

Verplaats hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Program Files\MyWebSearch <= de hele map

Groetjes,

Pieter
 
Re: HELPPPPP

Geplaatst door Spookje

C:\Documents and Settings\Administrator\Bureaublad\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.fastmp3.nl/test/nl.exe
Klik om te vergroten...

Hoi spookje,

Verplaats hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Geplaatst door Spookje

ik word helemaal :evil: van al die iritante messenger popups :8-0:

Klik om te vergroten...

Voor Messeneger popups is de beste remedie een firewall, want ze tonen onomstotelijk aan dat je computer een open huis is.

Bovendien zou het geen kwaad kunnen als je Windows en IE update.

De gemakkelijke uitweg vind je hier: http://grc.com/stm/shootthemessenger.htm

Groetjes,

Pieter
 
Geplaatst door JolandaC

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html

O2 - BHO: (no name) - {7C80D0D5-A691-A816-81BC-654B2759258D} - C:\PROGRA~1\SITENU~1\BIND ROAD.dll

O2 - BHO: (no name) - {F62A47A7-4CA3-9D00-95A3-6724d43a9E8C} - LineAudio.dll (file missing)

O3 - Toolbar: binthirdsect - {07E77B1E-1EAD-244F-9CBA-7DCD460ECC45} - C:\PROGRA~1\SITENU~1\BIND ROAD.dll

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
Klik om te vergroten...

Hoi Jolanda,

Eerst klik je "Start" > "Uitvoeren" > typ of knip&plak rundll32 C:\WINDOWS\System32:awpzjcf.dll,Uninstall > "OK"

Ik hoop dat het lukt met die oude versie van HijackThis.
Als het niet lukt of je hebt problemen na het opnieuw opstarten download dan de nieuwste versie van HijackThis en post een nieuw log.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\PROGRAM FILES\QuickPage <= de hele map
C:\PROGRAM FILES\dvd mfcd <= de hele map
C:\WINDOWS\System32\ls.exe
C:\PROGRAM FILES\SITENU~1 <= de hele map met het bestand BIND ROAD.dll erin.

Groetjes,

Pieter
 
Re: Nieuwe PC - nieuwe spytrouble

Geplaatst door Genfling

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe ***

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe ***

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot ***
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe ***
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ***
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ***
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm23230

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23b2b94751f7cd2f3306/netzip/RdxIE601.cab

O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab
Klik om te vergroten...

Hoi Genfling,

In één dag? :eek: Fijn he, KaZaa ? :evil:

Degenen met *** zijn de (naar mijn mening) overbodige.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Program Files\PERFECTNAV <= de hele map
C:\Program Files\MyWebSearch <= de hele map
C:\Program Files\MyWay <= de hele map
C:\Program Files\Common files\updmgr <= de hele map
C:\Program Files\Common Files\GMT <= de hele map
c:\program files\altnet\points manager <= de hele map

In Configurateiescherm > Software verwijder je P2P Networking.

Kijk daarna even hier:
http://home.planet.nl/~kleyn080/Spywareinfonl.html

Groetjes,

Pieter
 
Geplaatst door gmooij


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html

O2 - BHO: (no name) - {7C80D0D5-A691-A816-81BC-654B2759258D} - C:\PROGRA~1\SITENU~1\BIND ROAD.dll

O3 - Toolbar: binthirdsect - {07E77B1E-1EAD-244F-9CBA-7DCD460ECC45} - C:\PROGRA~1\SITENU~1\BIND ROAD.dll

O4 - HKLM\..\Run: [modeping] C:\PROGRA~1\dvd mfcd\eq trust deaf.exe

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
Klik om te vergroten...

Hoi gmooij,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\PROGRAM FILES\dvd mfcd <= de hele map
C:\PROGRAM FILES\SITENU~1 <= de hele map met het bestand BIND ROAD.dll erin.

Groetjes,

Pieter
 
Re: Log bestand

Geplaatst door Zwollenoord

Kun je mij trouwens ook expleciet aangeven hoe dit te voorkomen valt. ?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html

O4 - HKLM\..\Run: [3112429.exe] C:\WINDOWS\System32\3112429.exe

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\ls.exe

O4 - HKCU\..\Run: [Shareaza] "D:\Program Files\Shareaza\Shareaza.exe" -tray

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
Klik om te vergroten...

Hoi Zwollenoord,

Dialers (waar je er twee van hebt) maken meestal gebruik van te lage beveiligingsinstellingen.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Program Files\QuickPage <= de hele map
C:\WINDOWS\System32\3112429.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\ls.exe

Kijk daarna even hier voor het opschroeven van je beveiliging:
http://home.planet.nl/~kleyn080/Spywareinfonl.html

Groetjes,

Pieter
 
Re: mijn logfile

Geplaatst door deb's


Ik krijg de laatste tijd wel weer erg veel vervelden reclame mailtjes enzo. Willen jullie mijn logfile weer ns n keer nakijken.
Klik om te vergroten...

Hoi deb's,

Welke mailtjes je krijgt heeft niet altijd te maken met wat je op je computer hebt.
Als je allerlei reclames krijgt die spotgoedkoop nepartikelen aanbieden of waar je diverse lichaamsdelen kunt laten vergroten, moet ik je helaas teleurstellen. Die krijg ik ook. :evil:

Je log ziet er netjes uit, dus je moet even op zoek naar een spamfilter of zelf de Delete knop hanteren.

Groetjes,

Pieter
 
Hallo,

Zou iemand even kunnen kijken naar deze logfile van een collega van me, er is gescand met spybot en ad-aware.

Logfile of HijackThis v1.97.7
Scan saved at 10:02:13, on 15-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\wincmp32.exe
C:\WINDOWS\wincmp32.exe
C:\WINDOWS\wincmp32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\VRC.exe
C:\Program Files\Creative\SBExtigy\RemoteCenter\Center\RCenter.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\wincmp32.exe
C:\Documents and Settings\Adriaan Abendanon\Bureaublad\Luke\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=explorer.exe wincmp32.exe
F1 - win.ini: load=C:\WINDOWS\wincmp32.exe
F1 - win.ini: run=C:\WINDOWS\wincmp32.exe
F2 - REG:system.ini: Shell=explorer.exe wincmp32.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.planet.nl"); (C:\Documents and Settings\Adriaan Abendanon\Application Data\Mozilla\Profiles\default\1n6agi6t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Adriaan Abendanon\Application Data\Mozilla\Profiles\default\1n6agi6t.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Blue size - {E0F27307-33C5-E707-2019-B0184C99649A} - C:\PROGRA~1\CASTDU~1\Bin meet.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBExtigy\RemoteCenter\Rc\Rcman.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab



Alvast bedankt!
 
Geplaatst door Lukev3

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html

F0 - system.ini: Shell=explorer.exe wincmp32.exe
F1 - win.ini: load=C:\WINDOWS\wincmp32.exe
F1 - win.ini: run=C:\WINDOWS\wincmp32.exe
F2 - REG:system.ini: Shell=explorer.exe wincmp32.exe

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Blue size - {E0F27307-33C5-E707-2019-B0184C99649A} - C:\PROGRA~1\CASTDU~1\Bin meet.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
Klik om te vergroten...

Hoi Lukev3,

In ieder geval deze trojan:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.asylum.html

Verplaats hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. Dat wordt druk op je bureaublad.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\wincmp32.exe
C:\Program Files\MyWay <= de hele map
C:\WINDOWS\sysupd.exe
C:\PROGRAM FILES\CASTDU~1 <= de hele map met het bestand Bin meet.dll er in.

Groetjes,

Pieter
 
pc van kantoor:
gescand met adware
Logfile of HijackThis v1.97.7
Scan saved at 11:15:44, on 15-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\System\MAPI\1043\nt\MAPISP32.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Windows\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\MARGA NO WERKMAP\Mijn documenten\computer hulpprogs\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0413/bl7.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {6EABE8B6-5C8E-4B1B-AEAB-7FE17C4A3A04} - https://server.db.kvk.nl/WWWEXT01/install/plugin/KVKar51.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxxxxxxxxxxxxx
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxxxxxxxxxxxxxx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxxxxxxxxxxx
 
Hoi!


Ik heb heel weinig verstand van computers, maar als het goed is heb ik gedaan wat er stond.

Ik heb ad-aware gedownload en daarmee dus ook gescand en daarna heb ik ook hijack this gedownload en dit is het resultaat.

Logfile of HijackThis v1.97.7
Scan saved at 21:34:42, on 14-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\RaboCommSrv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Common files\updmgr\updmgr.exe
E:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\INTERN~2\iw.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Rabotwin\RaboComm\RaboSessionMon.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\PROGRA~1\INCRED~1\bin\ImApp.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Eigenaar\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.rabobank.nl (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///E:/Program%20Files/QuickPage/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
O1 - Hosts: 198.65.164.171 ehttp.cc
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - E:\Program Files\Popup Blockade\PBHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] E:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [updmgr] E:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [WeatherOnTray] E:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Washer Pro] E:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] E:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\RunOnce: [Ad-aware] "E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Rabo Session Monitor.lnk = E:\Program Files\Rabotwin\RaboComm\RaboSessionMon.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = E:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - E:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\Software\..\Telephony: DomainName = K31654.sckr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D07B442-BE3C-4F23-9C1D-2EB0E5168F6E}: NameServer = 62.58.50.5 62.58.50.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = K31654.sckr.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D14FDDF-C5D4-41DD-85EF-866110EAF1FB}: Domain = K31654.sckr.com



Zouden jullie hier misschien even naar willen kijken?

Alvast bedankt!!!
 
Hier is mijn log jongers... zeg maar wat ik moet doen. Bedankt

Logfile of HijackThis v1.97.7
Scan saved at 11:37:06, on 15-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\TrueBlock\TrueBlock.exe
C:\WINDOWS\swchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System\winspool.exe
C:\docume~1\eigenaar\applic~1\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Bureaublad\Nieuwe map\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8FA29996-D0A6-444F-85F6-9691A0EAE6F3} - C:\Program Files\TrueAssistant\TrueAssistantToolbar.dll
O2 - BHO: (no name) - {A6F42CAD-2559-48DF-AF30-89E480AF5DFA} - C:\WINDOWS\System32\bho.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-71766C641306} - C:\WINDOWS\System32\vld1306.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
O2 - BHO: (no name) - {DAF37100-2D0D-3554-C4F3-7D899C30B847} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [TrueBlock] C:\Program Files\TrueBlock\TrueBlock.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\jkkogbdn.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe
O4 - HKCU\..\Run: [rundll32] C:\Program Files\Bargain Buddy\rundll32.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe
O4 - Startup: Microsoft Data Helper.lnk = ?
O9 - Extra button: TrueAssistant (HKLM)
O9 - Extra 'Tools' menuitem: TrueAssistant (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load5.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9D77F204-F995-4A8E-8267-E7AD91776568} (Vacpro.olanda_ver2) - http://www.7adpower.com/dialer/olanda_ver2.CAB
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_NL.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
 
Geplaatst door nic322

E:\Documents and Settings\Eigenaar\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?[url]www.rabobank.nl[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@[url]www.e-finder.cc/hp/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///E:/Program%20Files/QuickPage/Portal/portal.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
O1 - Hosts: 198.65.164.171 ehttp.cc
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - E:\Program Files\Popup Blockade\PBHelper.dll (file missing)

O4 - HKLM\..\Run: [KAZAA] E:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [updmgr] E:\Program Files\Common files\updmgr\updmgr.exe

O4 - Global Startup: GStartup.lnk = E:\Program Files\Common Files\GMT\GMT.exe

O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = K31654.sckr.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D14FDDF-C5D4-41DD-85EF-866110EAF1FB}: Domain = K31654.sckr.com
Klik om te vergroten...

Hoi nic322,

Verplaats hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. Dat wordt druk op je bureaublad.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Let goed op de aanwijzingen die je van het programma krijgt.

Start daarna opnieuw op in veilige modus en verwijder:
E:\Program Files\Common files\updmgr <= de hele map
E:\Program Files\Common Files\GMT <= de hele map

Groetjes,

Pieter
 
Geplaatst door Allard

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/

R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)

O2 - BHO: (no name) - {A6F42CAD-2559-48DF-AF30-89E480AF5DFA} - C:\WINDOWS\System32\bho.dll

O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-71766C641306} - C:\WINDOWS\System32\vld1306.dll
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721306} - C:\WINDOWS\System32\wer1306.dll
O2 - BHO: (no name) - {DAF37100-2D0D-3554-C4F3-7D899C30B847} - (no file)

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe

O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\jkkogbdn.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe
O4 - HKCU\..\Run: [rundll32] C:\Program Files\Bargain Buddy\rundll32.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe

O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.98/058364nl.exe
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load5.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9D77F204-F995-4A8E-8267-E7AD91776568} (Vacpro.olanda_ver2) - http://www.7adpower.com/dialer/olanda_ver2.CAB
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_NL.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
Klik om te vergroten...

:eek:

Hoi Allard,

Wat een ellende.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Let goed op de aanwijzingen die je van het programma krijgt.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\documents and settings\eigenaar\application data\svchost.exe
C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64 <= de hele map

Doe dan een online virusscan bv hier www.housecall.nl

Ga dan naar mijn site http://home.planet.nl/~kleyn080/Spywareinfonl.html en volg de links voor het installeren en scannen met AdAware.
(Als je er toch bent, er staat ook een heel stuk over voorkomen ;) )

Als je daarmee gescand hebt en opnieuw bent opgestart maak dan nog een nieuw HijackThis log en plaats dat weer.

Groetjes,

Pieter
 
Geplaatst door nic322
Hoi!


Ik heb heel weinig verstand van computers, maar als het goed is heb ik gedaan wat er stond.

Ik heb ad-aware gedownload en daarmee dus ook gescand en daarna heb ik ook hijack this gedownload en dit is het resultaat.

Logfile of HijackThis v1.97.7
Scan saved at 21:34:42, on 14-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\RaboCommSrv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Common files\updmgr\updmgr.exe
E:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\INTERN~2\iw.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Rabotwin\RaboComm\RaboSessionMon.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\PROGRA~1\INCRED~1\bin\ImApp.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Eigenaar\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?[url]www.rabobank.nl[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@[url]www.e-finder.cc/hp/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///E:/Program%20Files/QuickPage/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
O1 - Hosts: 198.65.164.171 ehttp.cc
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - E:\Program Files\Popup Blockade\PBHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] E:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] E:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] E:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] E:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [updmgr] E:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [WeatherOnTray] E:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Washer Pro] E:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] E:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\RunOnce: [Ad-aware] "E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Rabo Session Monitor.lnk = E:\Program Files\Rabotwin\RaboComm\RaboSessionMon.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: GStartup.lnk = E:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - E:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\Software\..\Telephony: DomainName = K31654.sckr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D07B442-BE3C-4F23-9C1D-2EB0E5168F6E}: NameServer = 62.58.50.5 62.58.50.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = K31654.sckr.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D14FDDF-C5D4-41DD-85EF-866110EAF1FB}: Domain = K31654.sckr.com



Zouden jullie hier misschien even naar willen kijken?

Alvast bedankt!!!
Klik om te vergroten...
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan