Helpmij tegen spyware offensief (deel 4)

[Pieter Arntz]

Geplaatst door huijb

Dochter 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\SYSTEM\SED.EXE

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Hoi huijb,

Voor je begint wil ik je aanraden om HijackThis naar een aparte map uit te pakken. Het programma maakt backups in de map waar het staat en
zoals jij het nu draait komen die op het bureaublad te staan.

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\SYSTEM\SED.EXE
C:\Program Files\Onlinedirect <= de hele map

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door tintin


het is weer voor mekaar!!!!

Goed werk.

Pieter

 

[Olav]

Geplaatst door huijb
C:\WINDOWS\SYSTEM\SED.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\SYSTEM\SED.EXE

Hoi Huijb,

Om Pieter hier op helpmij wat te ontlasten en om hem zo de tijd te geven zijn goede werk voort te blijven zetten op de andere fora waar hij actief is, schiet ik hem bij.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\PROGRAM FILES\Onlinedirect <= de hele map
C:\WINDOWS\SYSTEM\SED.EXE


Succes,
Olav

 

[Pieter Arntz]

Geplaatst door huijb
dochter 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\SYSTEM\SED.EXE

Hoi huijb,

Da's zeker de oudste

Voor je begint wil ik je aanraden om HijackThis naar een aparte map uit te pakken. Het programma maakt backups in de map waar het staat en
zoals jij het nu draait komen die op het bureaublad te staan.

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\SYSTEM\SED.EXE
C:\Program Files\Onlinedirect <= de hele map
C:\TV MEDIA <= de hele map
C:\Program Files\webHancer <= de hele map

Groetjes,

Pieter

 

[huijb]

Olav pieter bedankt weer, inderdaad Pieter dat is de oudste.

 

[Pieter Arntz]

Geplaatst door Nemor
hey ik heb dus het probleem bij internet explorer onder beeld dan werkbalken alles vergrendelt is en ik niet opnieuw mijn adresbalk aan kan vinken en dus geen adress kan intypen, het lukt me wel met ctrl+o maar daar erger ik me aan en wil graag dat het weer normaal word nou heb ik hier in dit forum gezocht naar dit probleem daar word je doorverwezen hiernaar dat je die progamma's moet downloaden maar dat wil niet ik krijg dan bij elke link dat jullie geven een site van isearch met error. Heeft iemand enig idee wat ik kan doen?

Hoi Nemor,

Ik voeg een bestandje bij. Download dat en sla het op als isearchbarrepair.reg
Dubbelklik erop en bevestig dat je het wilt toevoegen aan je register.

Zoek dan het bestand C:\WINDOWS\System32\drivers\etc\hosts op en hernoem het naar hosts.bak

Daarna zou je weer al mijn favoriete forums en downloadsites die je zoekt moeten kunnen bezoeken.
Plaats nog even een HijackThis log.

Groetjes,

Pieter

 

[studiobart]

hier mijn hijacklogthis na gescand met adware 6.0

Logfile of HijackThis v1.97.7
Scan saved at 20:55:59, on 11/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\mslagent\mslagent_.exe
C:\windows\applic~1\winlogon.exe
C:\WINDOWS\system32\winproc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Bart Demeulenare\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/searchpage.html?page=www.google.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=abc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=abc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
O4 - HKCU\..\Run: [System Update4] c:\windows\applic~1\winlogon.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Intern~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: Dexia Netbanking - http://netbanking.dexia.be/PC//Dynamic/Shared/Applet//DexiaIIA.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {5623F093-DACE-4027-ABBE-751F5BB7878E} (PXSLoader Class) - http://plugin.payload.nl/run/loader/payloadloader.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://www.alloticket.com/MicroPaiement/kit/WebInstall.dll
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1034_pack_XP.cab
O16 - DPF: {B914A3C5-80F5-43C1-A4A3-C4211921DC7B} - http://akamai.downloadv3.com/binaries/IA/netdtc32_EN_XP.cab
O16 - DPF: {CF5F84EB-D3FC-4F98-BE3B-F5B56B962CED} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1035_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

 

[loic]

Hoi Pieter,

Ik ben erg benieuwd of je iets geks ziet aan mijn log. ik ben een tijdje bezig geweest om het geheel op te schonen. ik vraag me nu af of dat gelukt is. Ik heb spy-both gebruikt en als je onnodige startups tegen komt dan hoor ik het graag. Ik ben erg benieuwd.
gr.
Loïc

Logfile of HijackThis v1.97.7
Scan saved at 21:50:38, on 11-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\spyboth\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 203
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = 203
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prikpagina.nl/list.php?f=475
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 203
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 203
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Loic\Application Data\Mozilla\Profiles\default\3d5xac9o.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WallPaper] D:\prog\WALLPA~1.90\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0D5AAD20-C9EF-11D4-B5D3-00C04F163665} (CBSBiB.iPCRClickMap) - http://www.cbs.nl/nl/cijfers/buurt-in-beeld/klikkaart.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {5B461C2E-763A-4F47-9809-55827667E821} (MGDomConnector Class) - http://193.67.114.9/Magic9Utils/MGBCCOM9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37643.1798611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

[mariska1972]

Pieter,
Kun jij me helpen?
Ik krijg steeds pop up op mijn scherm dat ik spyware op mijn pc heb.
Ik heb adaware log geplaatst van vandaag en hijack this log


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :dinsdag 11 mei 2004 21:44:25
Created with Ad-aware Personal, free for private use.
Using reference-file :01R302 03.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


11-5-2004 21:44:25 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279184329
Threads : 8
Priority : High
FileSize : 532 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel-kerncomponent
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966865
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bits VxD-berichtserver
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860357
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294856705
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294843309
Threads : 4
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Taakplanner Engine
InternalName : Taakplanner
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:6 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294896169
Threads : 4
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3002.0
ProductVersion : 4.90.3002.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 19-2-2002 21:30:43
Last accessed : 10-5-2004 22:00:00
Last modified : 28-9-2001 15:53:22

#:7 [ccsetmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294789833
Threads : 8
Priority : Normal
FileSize : 229 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 12-9-2003 2:32:48
Last accessed : 10-5-2004 22:00:00
Last modified : 12-9-2003 2:32:48

#:8 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294797293
Threads : 28
Priority : Normal
FileSize : 250 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 12-9-2003 2:34:42
Last accessed : 10-5-2004 22:00:00
Last modified : 12-9-2003 2:34:42

#:9 [ccproxy.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294780901
Threads : 22
Priority : Normal
FileSize : 213 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
OriginalFilename : ccProxy.exe
ProductName : Common Client
Created on : 12-9-2003 2:32:16
Last accessed : 10-5-2004 22:00:00
Last modified : 12-9-2003 2:32:16

#:10 [sndsrvc.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294832701
Threads : 10
Priority : Normal
FileSize : 189 KB
FileVersion : 5.3.1.53
ProductVersion : 5.3
Copyright : Copyright 2002, 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
OriginalFilename : SndSrvc.exe
ProductName : Symantec Security Drivers
Created on : 29-4-2004 19:27:36
Last accessed : 10-5-2004 22:00:00
Last modified : 29-4-2004 19:27:36

#:11 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294736509
Threads : 8
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:12 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294699201
Threads : 5
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:13 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294584837
Threads : 5
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294653465
Threads : 34
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 8-6-2000 15:00:00
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:15 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294708937
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:16 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294549097
Threads : 3
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : Systeemwerkblad-applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:17 [starter.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294443865
Threads : 2
Priority : Normal
FileSize : 32 KB
FileVersion : 5.00.05
ProductVersion : 5.00.05
Copyright : Copyright
CompanyName : Creative Technology, Ltd.
FileDescription : This program launches the mixer application.
InternalName : starter
OriginalFilename : starter.exe
ProductName : starter
Created on : 20-2-2001 11:54:42
Last accessed : 10-5-2004 22:00:00
Last modified : 10-8-2000 9:58:46

#:18 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294449853
Threads : 2
Priority : Normal
FileSize : 438 KB
FileVersion : 2, 0, 0, 8
ProductVersion : 2, 0, 0, 8
Copyright : Copyright (c) 2000 Chicony
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
OriginalFilename : mHotkey.res
ProductName : Chicony Multimedia Driver
Created on : 20-2-2001 17:49:14
Last accessed : 10-5-2004 22:00:00
Last modified : 4-7-2000 14:38:04

#:19 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294387985
Threads : 4
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 4-11-2002 21:24:01
Last accessed : 10-5-2004 22:00:00
Last modified : 3-5-2000 15:23:10

#:20 [hpztsb05.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294667285
Threads : 2
Priority : Normal
FileSize : 184 KB
FileVersion : 2,121,0,0
ProductVersion : 2,121,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 26-3-2003 17:41:10
Last accessed : 10-5-2004 22:00:00
Last modified : 6-6-2002 19:31:34

#:21 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294408781
Threads : 3
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 20-4-2004 21:40:44
Last accessed : 10-5-2004 22:00:00
Last modified : 20-4-2004 21:40:46

#:22 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294406361
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:23 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294385517
Threads : 35
Priority : Normal
FileSize : 69 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 12-9-2003 2:28:14
Last accessed : 10-5-2004 22:00:00
Last modified : 12-9-2003 2:28:14

#:24 [msnmsgr.exe]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294487685
Threads : 4
Priority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0133
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 19-4-2004 3:45:08
Last accessed : 10-5-2004 22:00:00
Last modified : 19-4-2004 3:45:08

#:25 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294254897
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 10-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:26 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294324249
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 10-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:27 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294253017
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 10-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:28 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294460245
Threads : 7
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 13-8-2003 20:42:53
Last accessed : 10-5-2004 22:00:00
Last modified : 11-12-2002 22:14:32

#:29 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294038265
Threads : 4
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 1-1-1601
Last accessed : 10-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:30 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294414009
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 10-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:31 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294005177
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 10-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:32 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4293982613
Threads : 3
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 24-4-2004 22:06:13
Last accessed : 10-5-2004 22:00:00
Last modified : 12-7-2003 20:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{FF0DC65A-F33C-472B-894B-D71137E0F67D}


CoolWebSearch Object recognized!
Type : File
Data : dcc.dll
Object : c:\windows\system\
FileSize : 30 KB
Created on : 11-5-2004 19:17:16
Last accessed : 10-5-2004 22:00:00
Last modified : 11-5-2004 19:17:18



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{D1CB2908-87FE-4B75-BFAE-1E6BF525B825}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1CB2908-87FE-4B75-BFAE-1E6BF525B825}


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 8
Objects found so far: 10


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 10


21:54:01 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:09:33:860
Objects scanned :37750
Objects identified :10
Objects ignored :0
New objects :10


hijackthis log
ogfile of HijackThis v1.97.7
Scan saved at 21:56:33, on 11-5-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\DCC.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: OpinionBar IE monitor - {6607C683-AE7C-11D4-ACD7-0050DAC291A2} - C:\PROGRA~1\OPINIO~1\MYIEMO~2.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D1CB2908-87FE-4B75-BFAE-1E6BF525B825} - C:\WINDOWS\SYSTEM\DCC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\NL\MSNTB.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/dutch/TemplateGallery/msotd.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37567.5868287037

 

[Jan van Asseldonk]

Pieter, Olav,

hierbij de logfile van de PC.
Deze is gescand met Ad-Aware 6.0 en SpyBot met de laatste updates. Startpagina blijft irritant aanwezig en er wordt direct weer spyware opgezet.

Logfile of HijackThis v1.97.7
Scan saved at 22:01:47, on 11-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hetnet.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Het Net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.startpagina.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DE22239-F7E5-492A-983D-4404C00E26DD} - C:\WINDOWS\mrhop.dll
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\CloneCD\CloneCDTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: PopupPopper Configuratiescherm (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hetnet.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://virusscan.zdnet.nl/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37664.0440393519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Olav]

Re: hier mijn hijacklogthis na gescand met adware 6.0

Geplaatst door studiobart

C:\Program Files\ISTsvc\istsvc.exe

C:\WINDOWS\wt\updater\wcmdmgr.exe

C:\WINDOWS\mslagent\mslagent_.exe <--- Trojaans paard --> http://www.kephyr.com/spywarescanner/library/magiccontrol/index.phtml
C:\windows\applic~1\winlogon.exe
C:\WINDOWS\system32\winproc32.exe <------- CWS !!! http://pestpatrol.com/pestinfo/c/cws.asp / http://www.pestpatrol.com/PestResearchCenter/Analyses/2004-02-09_141953.asp


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/searchpage.html?page=www.google.be
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=abc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=abc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
O4 - HKCU\..\Run: [System Update4] c:\windows\applic~1\winlogon.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=

O16 - DPF: {5623F093-DACE-4027-ABBE-751F5BB7878E} (PXSLoader Class) - http://plugin.payload.nl/run/loader/payloadloader.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://www.alloticket.com/MicroPaiement/kit/WebInstall.dll

Hoi Studiobart....
Indrukwekkend

Op de eerste plaats, mochten we je schoon krijgen, wil ik je dringend adviseren je windows en internet explorer te updaten.

Platform: Windows XP (WinNT 5.01.2600) <-- verouderd en mis service pack.
MSIE: Internet Explorer v6.00 (6.00.2600.0000) <-- verouderd

Daarnaast, wil ik je adviseren om Hijack This in een eigen, aparte map te zetten, Hijack This maakt updates in de map van waaruit hij gedraid wordt. Die updates komen op deze manier op je buroblad te staan.

Klik de hierboven staande items aan in je Hijack this, sluit alle vensters behalve Hijack This. Klik vervolgens op Fix Checked.

Herstart je pc in veilige mode
Daarna verwijder je:
c:\searchpage.html
C:\WINDOWS\mslagent\ <-- Uninstall via toevoegen/verwijderen software in configuratie scherm. (verwijder instructies: http://www.kephyr.com/spywarescanner/library/magiccontrol/index.phtml)
C:\Program Files\ISTsvc\ <-- hele map
C:\WINDOWS\wt\ <-- hele map

Controleer of deze bestanden weg zijn, zo niet, dan als nog verwijderen.
C:\WINDOWS\system32\winproc32.exe
C:\WINDOWS\System32\toolbar.dll

Download en run http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Gebruik de Fix knop en volg de aanwijzingen op.

Olav

 

[Pieter Arntz]

Geplaatst door loic


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 203
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = 203

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = 203
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 203
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 203

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ***

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

Hoi loic,

*** is overbodig volgens mij
De anderen zijn lop restanten en een dialer

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door mariska1972

Kun jij me helpen?

Waarschijnlijk niet:
http://www.helpmij.nl/forum/showthread.php?threadid=162413

Maar misschien heb je geluk.

Download en unzip FindAll.zip van http://www10.brinkster.com/expl0iter/freeatlast/Find-All.zip

Open de map en run FindAll.bat

In dezelfde map komt een bestand output.txt te staan post de inhoud daarvan.

Groetjes,

Pieter

 

[neleke]

Pieter,

Weer bedankt voor je hulp, alles is weer schoon

Groetjes,
Neleke

 

[mariska1972]

Pieter,
dan krijg ik foutmeldingen dat hmen de scriptbestanden c:\download\filters and bhos.vbs niet vinden.
vervolgens diverse vragen of ik wat wil toevoegen aan de registers.
Ik heb door de diverse foutmeldingen hier overal nee ingetikt
==**'FIND-ALL' VERSION 2, 5/04**===--

*System Info:

Windows Millennium [Versie 4.90.3000]



Locked or 'Suspect' file(s) found...




 

[Pieter Arntz]

Geplaatst door Jan van Asseldonk
Pieter, Olav,


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mrhop.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {0DE22239-F7E5-492A-983D-4404C00E26DD} - C:\WINDOWS\mrhop.dll

Hoi Jan,

Die mrhop variant is gloedjenieuw en nog in onderzoek.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Volg daarna de aanwijzingen die ik mariska1972 gaf. Hij lijkt het meest op die variant. Misschien levert het wat op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door neleke
Pieter,

Weer bedankt voor je hulp, alles is weer schoon

Groetjes,
Neleke

Graag gedaan

Pieter

 

[Renorax]

Scan saved at 22:44:02, on 11-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isearch.com/index.php?ref=none
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRA~1\DAP\dapbho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] C:\Program Files\Common Files\Stardock\TrayServer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: BUREAUBLADACHTERGROND-KIEZER.lnk = C:\Program Files\final_fantasy_wpc\wpc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Onderzoekscentrum (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0140a4fcd4bc9647c115/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38032.2218981481
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F1154108-FB75-47EB-9A7E-4DD28DBDAF34} - http://www.threedegrees.com/td_netd.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

ik gebruikte adaware omte scannen

 

[Pieter Arntz]

Geplaatst door mariska1972
Pieter,
dan krijg ik foutmeldingen dat hmen de scriptbestanden c:\download\filters and bhos.vbs niet vinden.
vervolgens diverse vragen of ik wat wil toevoegen aan de registers.
Ik heb door de diverse foutmeldingen hier overal nee ingetikt

Yuk. Waarschijnlijk één van de redenen waarom dat alleen voor Windows 2000 en XP werkt.

Zoek het bestand: DCC.DLL op, rechtsklik en kijk onder eigenschappen op welke datum het is gemaakt.
Zoek dan je computer na op alle bestanden die op die datum zijn gemaakt.
Geef alle dll bestanden op die in de C:\WINDOWS\SYSTEM styaan en daar aan voldoen.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Renorax

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isearch.com/index.php?ref=none

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0140a4fcd4bc9647c115/netzip/RdxIE601.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Hoi Renorax,

Niet gemerkt dat je AdAware niet kon updaten?

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op en verwijder:C:\windows\easywww2.exe

Zoek dan het bestand C:\WINDOWS\System32\drivers\etc\hosts op en hernoem het naar hosts.bak

Update AdAware dan en scan opnieuw.

Groetjes,

Pieter