Helpmij tegen spyware offensief (deel 3)

Status
Niet open voor verdere reacties.
hoi k heb problemen met run32.dll las op dit forum dat k het hier ff moest posten hoop dat het helpt alvast bedankt


Logfile of HijackThis v1.97.7
Scan saved at 15:41:24, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
\Markpc\g\Adobe Photoshp 5.5\Photoshop 5.5 Full Retail\Setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\BB (Belangrijke Bestanden)\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multikabel.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ne3.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Multikabel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.multikabel.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WashAndGo - Cleanup of old Backupfiles] C:\Program Files\WashAndGo\checker.exe /check
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.multikabel.nl
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1F20CF42-B381-4181-8C2A-A389B1022E6E} (Dialer.Class1) - http://www.ipxs.nl/php/fundate.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38038.1111805556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
 
Re: verkeerde post

Geplaatst door stijn10
Ik krijg steeds post van mensen die volgens mij jouw moeten hebben.
Ik krijg nu zo een beetje 10 mails per dag met vragen en bedankjes over spyware.

Hoe kan dit?
Klik om te vergroten...

stijn10,

Komen die mailtjes van Helpmij?
Zoja, dan staat er helemaal onderin een link om je af te melden. Klik daar maar op.

Groetjes,

Pieter
 
Mijn norton wil nog steeds niet goed openen, is het handig om een topic te openen elders op het forum?
 
Geplaatst door Superspinnie

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [msbb] c:\program files\180solutions\msbb.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [ansrcl] C:\WINDOWS\ansrcl.exe

O4 - HKCU\..\Run: [Trdc] C:\Documents and Settings\M & V\Application Data\nwlm.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
Klik om te vergroten...

Hoi superspinnie,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan je computer opnieuw op en verwijder:
C:\Program Files\ISTsvc <= de hele map
c:\program files\180solutions <= de hele map
C:\Program Files\Power Scan <= de hele map
C:\Documents and Settings\M & V\Application Data\nwlm.exe
C:\WINDOWS\System32\wapisvsu.exe

Groetjes,

Pieter
 
Heb gisteren ADSL geinstalleerd en via vrienden deze site opgegeven gekregen. Heb last van spyware en heb volgens jullie aanbevelingen Ad-aware 6.x + Hijack-this gedownload en gerund.

Kunnen jullie helpen (dit is mijn eerste bericht)?
Alvast bedankt!

De log van Hijack this luidt als volgt:

Logfile of HijackThis v1.97.7
Scan saved at 15:24:52, on 18-4-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\windows\redirect7.exe
C:\Program Files\Conexant\CnxDslTb.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Cornelis Bos\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
O1 - Hosts: 213.222.11.11 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\CnxDslTb.exe"
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &RSDN Search - res://c:\windows\toolbar_nieuw14.dll/GoRSDN.dll.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
 
Re: Help vervelende homepage internet

Geplaatst door driverv

O2 - BHO: (no name) - {20A73CA1-4C3A-BC2B-2E58-866C18E6397D} - C:\PROGRA~1\BOWSMA~1\Setup Site.dll

O3 - Toolbar: plus sect - {E08E37A7-6F93-732C-D6F7-E9831820DF8E} - C:\PROGRA~1\BOWSMA~1\Setup Site.dll

O4 - HKLM\..\Run: [vga browse] C:\PROGRA~1\COALAI~1\idle view.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013f4116546d849a9c06/netzip/RdxIE601.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
Klik om te vergroten...

Hoi driverv,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan je computer opnieuw op in veilige modus en verwijder:
C:\Program Files\BOWSMA~1 <= de hele map met daarin het bestand Setup Site.dll
C:\Program Files\COALAI~1 <= de hele map met daarin het bestand idle view.exe
C:\Program Files\AutoUpdate <= de hele map

Groetjes,

Pieter
 
Geplaatst door Xiqum


Mijn istbar had hij gevonden in mijn system restore nou had ik gevonden dat ik deze aan en uit moest zetten. Zo gezegd zo gedaan, en heb er geen melding van gehad maar mijn norton deed het nog niet. Ik ga nu avg eraf gooien en norton maar proberen.
Klik om te vergroten...

Beide beslissingen. :thumb:

Groetjes,

Pieter
 
He, ik heb nog steeds last van dat spy ongedierte.. ik heb net adaware gerund...en alles gedelete...hierna hijack this gerund... hier is mijn log:

Logfile of HijackThis v1.97.7
Scan saved at 16:05:30, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System\winspool.exe
C:\docume~1\eigenaar\applic~1\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eigenaar\Bureaublad\Nieuwe map\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\hipcaagh.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe
O4 - Startup: Microsoft Data Helper.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://little-flowers-pussy.com/ebook.chm::/loader.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

bedankt alvast
 
Geplaatst door remcos

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ne3.hpwis.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1F20CF42-B381-4181-8C2A-A389B1022E6E} (Dialer.Class1) - http://www.ipxs.nl/php/fundate.CAB

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
Klik om te vergroten...

Hoi remcos,

Wil jij dit bestandje svp naar mij opsturen voor je met de rest begint?
C:\WINDOWS\System32\pdfupd.dll
=>Klik hier voor het adres<=

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter
 
Geplaatst door Cornelis Bos

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
O1 - Hosts: 213.222.11.11 auto.search.msn.com

O3 - Toolbar: DotComToolbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - c:\windows\toolbar_nieuw14.dll

O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe

O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe

O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

O8 - Extra context menu item: &RSDN Search - res://c:\windows\toolbar_nieuw14.dll/GoRSDN.dll.htm

O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
Klik om te vergroten...

Hallo Cornelis Bos,

Welkom op Helpmij. :)

Voor je begint wil ik je aanraden om HijackThis naar een aparte map uit te pakken. Het programma maakt backups in de map waar het staat en
zoals jij het nu draait (uit de zipmap) gaat dat niet.

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\windows\easywww2.exe
C:\windows\redirect7.exe
wuamgrd.exe

Groetjes,

Pieter
 
Geplaatst door Allard

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find-online.net/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64\hipcaagh.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\eigenaar\applic~1\svchost.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://little-flowers-pussy.com/ebook.chm::/loader.exe
Klik om te vergroten...

Hoi Allard,

Dit log komt me heel erg bekend voor. Kan dat?
Het is in ieder geval een trrojan festijn van jewelste.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Documents and Settings\Eigenaar\Application Data\svchost.exe
C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe
C:\WINDOWS\System\winspool.exe
C:\Documents and Settings\Eigenaar\Application Data\Microsoft\sr64 <= de hele map

Post een nieuw log als je klaar bent.

Groetjes,

Pieter
 
Beste Pieter...

Ik had idd vorige week al wat gepost..maar moest toen onverhoopt weg...

Ik heb gedaan wat je zei, maar ik kan niet alle bestanden vinden om te verwijderen:

C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe

die kan ik dus gewoon niet vinden..ik heb verborgen bestanden aangezet bij de mapopties...
 
mijn hijacklog

Hallo,

mijn problemen :
- start-pagina niet meer te wijzigen
- bepaalde functies werken niet meer : scherm verdwijnt direct
* klok goedzetten
* Add/Remove programs
* restore punt zetten (ik heb windows XP)
- Trojan/virus alert : "Exploit-Codebase" : bestand niet te cleanen of verwijderen.

Ik heb reeds volgende handelingen uitgevoerd : Spybot S&D en Adware6.

Ten einde raad een hijackthis-log aangemaakt : ziehier het resultaat :

Logfile of HijackThis v1.97.7
Scan saved at 13:00:46, on 17/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\KMaestro\Key_e.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\llass.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\reg33.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\5-1-25-85.exe
C:\windows\5-1-35-16.exe
C:\windows\5-1-25-224.exe
C:\WINDOWS\AddCLS.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\System32\svchost.exe
D:\My Documents\Chrispie\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sex-family.net/sherbook/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [5-1-25-85] c:\windows\5-1-25-85.exe -m
O4 - HKCU\..\Run: [5-1-25-331] c:\program files\Webdialer\5-1-25-331.exe -m
O4 - HKCU\..\Run: [5-1-35-16] c:\windows\5-1-35-16.exe -m
O4 - HKCU\..\Run: [60-1-1-177] c:\windows\60-1-1-177.exe -m
O4 - HKCU\..\Run: [5-1-61-22] c:\windows\5-1-61-22.exe -m
O4 - HKCU\..\Run: [5-1-61-59] c:\program files\Webdialer\5-1-61-59.exe -m
O4 - HKCU\..\Run: [5-2-145-59] c:\program files\Webdialer\5-2-145-59.exe -m
O4 - HKCU\..\Run: [5-2-100-8] c:\program files\Webdialer\5-2-100-8.exe -m
O4 - HKCU\..\Run: [5-4-30-383] c:\program files\Webdialer\5-4-30-383.exe -m
O4 - HKCU\..\Run: [5-2-145-36] c:\program files\Webdialer\5-2-145-36.exe -m
O4 - HKCU\..\Run: [5-2-109-28] c:\program files\Webdialer\5-2-109-28.exe -m
O4 - HKCU\..\Run: [5-2-145-21] c:\program files\Webdialer\5-2-145-21.exe -m
O4 - HKCU\..\Run: [5-2-109-124] c:\program files\Webdialer\sex_collection.exe -m
O4 - HKCU\..\Run: [5-1-25-224] c:\windows\5-1-25-224.exe -m
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
O4 - HKCU\..\Run: [5-1-61-47] c:\program files\Webdialer\5-1-61-47.exe -m
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.learning-site.com/cimonline/player/awarewebplayer/download/smart/cab/awswaxm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - file://F:\Setup\tsccinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37231.1019560185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9E7D9AE-7AE6-4797-BAB8-5EB2CD663382}: NameServer = 195.238.2.21 195.238.2.22

Wie kan mij helpen ?
 
Geplaatst door Allard
Beste Pieter...

Ik had idd vorige week al wat gepost..maar moest toen onverhoopt weg...

Ik heb gedaan wat je zei, maar ik kan niet alle bestanden vinden om te verwijderen:

C:\WINDOWS\SysUpd.exe
C:\WINDOWS\System32\w32sup.exe
C:\WINDOWS\swchost.exe
C:\WINDOWS\System32\scchost.exe
C:\WINDOWS\fsvch.exe

die kan ik dus gewoon niet vinden..ik heb verborgen bestanden aangezet bij de mapopties...
Klik om te vergroten...

Hoi Allard,

Post nog even een nieuw log voor de zekerheid.

Groetjes,

Pieter
 
Hier is hij....

Logfile of HijackThis v1.97.7
Scan saved at 17:16:43, on 18-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eigenaar\Bureaublad\Nieuwe map\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
 
Re: mijn hijacklog

Geplaatst door chrispie


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sex-family.net/sherbook/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@[url]www.e-finder.cc/search/[/url] (obfuscated)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe

O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe

O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe

O4 - HKCU\..\Run: [5-1-25-85] c:\windows\5-1-25-85.exe -m
O4 - HKCU\..\Run: [5-1-25-331] c:\program files\Webdialer\5-1-25-331.exe -m
O4 - HKCU\..\Run: [5-1-35-16] c:\windows\5-1-35-16.exe -m
O4 - HKCU\..\Run: [60-1-1-177] c:\windows\60-1-1-177.exe -m
O4 - HKCU\..\Run: [5-1-61-22] c:\windows\5-1-61-22.exe -m
O4 - HKCU\..\Run: [5-1-61-59] c:\program files\Webdialer\5-1-61-59.exe -m
O4 - HKCU\..\Run: [5-2-145-59] c:\program files\Webdialer\5-2-145-59.exe -m
O4 - HKCU\..\Run: [5-2-100-8] c:\program files\Webdialer\5-2-100-8.exe -m
O4 - HKCU\..\Run: [5-4-30-383] c:\program files\Webdialer\5-4-30-383.exe -m
O4 - HKCU\..\Run: [5-2-145-36] c:\program files\Webdialer\5-2-145-36.exe -m
O4 - HKCU\..\Run: [5-2-109-28] c:\program files\Webdialer\5-2-109-28.exe -m
O4 - HKCU\..\Run: [5-2-145-21] c:\program files\Webdialer\5-2-145-21.exe -m
O4 - HKCU\..\Run: [5-2-109-124] c:\program files\Webdialer\sex_collection.exe -m
O4 - HKCU\..\Run: [5-1-25-224] c:\windows\5-1-25-224.exe -m
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
O4 - HKCU\..\Run: [5-1-61-47] c:\program files\Webdialer\5-1-61-47.exe -m

O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab
Klik om te vergroten...

Hoi chrispie,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\system32\llass.exe <= LET GOED OP de spelling. NIET lsass.exe verwijderen.
C:\WINDOWS\reg33.exe
C:\windows\5-1-25-85.exe
C:\windows\5-1-35-16.exe
C:\windows\5-1-25-224.exe

Wil je me het volgende bestandje mailen?
C:\WINDOWS\AddCLS.exe
=>Klik hier voor het adres<=

Groetjes,

Pieter
 
Geplaatst door Allard

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [w32sup] C:\WINDOWS\System32\w32sup.exe
O4 - HKLM\..\Run: [Windows report] C:\WINDOWS\swchost.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\scchost.exe
O4 - HKLM\..\Run: [fsvch] C:\WINDOWS\fsvch.exe
Klik om te vergroten...

Hoi Allard,

Fix de bovenstaande, start opnieuw op en run HijackThis opnieuw. Als ze deze keer wegblijven is het goed.
Anders moeten we even wat anders verzinnen.

Groetjes,

Pieter
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan