Helpmij tegen spyware offensief (deel 4)

[mariska1972]

Beste Pieter,
realplayer inderdaad gedownload van officiele site (download.com).

In de 5 aangemaakte genoemde dll bestanden van de besmettingsdatum zit het hem volgens mij ook niet.

Ik vertrouw win.ini niet.

En ik heb geconstateerd dat op de besmettingsdatum een bestand is aangemaakt in c:/windows/inf met de naam motown.inf (op besmettingsdatum , tijdstip uitzetten pc).

En er is toen aangemaakt:
1) een map mpeg encode in c/program files/common files met daarin een dll bestand xmencmp3.dll
2) een map c:\program files\internet explorer\Plugins\rich FX met daarin ook en dll bestand (nprfxins.dll)

Misschien kun je hier ook nog wat mee (in samenhang met win.ini).
Hier volgt dan de win.ini (gewijzigd op besmettingsdatum)

[windows]
load=
NullPort=None
device=hp deskjet 3816 series,hpz9xd05,USB/DeskJet_3816/CN2CJ1P27732

[Desktop]
Wallpaper=C:\WINDOWS\1STBOOT.BMP
TileWallpaper=0
WallpaperStyle=2
Pattern=(None)

[intl]
iCountry=31
ICurrDigits=2
iCurrency=2
iDate=1
iDigits=2
iLZero=1
iMeasure=0
iNegCurr=11
iTime=1
iTLZero=0
s1159=
s2359=
sCountry=Netherlands
sCurrency=fl
sDate=-
sDecimal=,
sLanguage=nld
sList=;
sLongDate=dddd d MMMM yyyy
sShortDate=d-M-yyyy
sThousand=.
sTime=:

[fonts]

[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HPOLNK08=0x00400000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NDITEST=0x00400000
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
UNWISE=0x00400000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000
NOTIFIER=0x400000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
_INS0432=0x00080000
_INS5176=0x00080000
_INS576=0x00080000
_INS5576=0x00080000
ASEDIT=0x00080000
ASAUDIO=0x00080000
ASCAMERA=0x00080000
ASVIDEO=0x00080000
ASVOICE=0x00080000
BLUELIGH=0x00080000
FREEICLI=0x00080000
HPFIUI=0x00080000
LAPLINK=0x00080000
LAUNCH=0x00080000
LEXBCES=0x00080000
MNGREG32=0x00080000
MOTODV=0x00080000
POINT32=0x00080002
SA6REG=0x00080000
SETUP=0x00080000
SETUP2=0x00080000
WEBEX=0x00100000
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000
AGENTSVR=0x00000002
MSOOBE=0x00000002

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=0

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
midi=Sequencer
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
snd=MPEGVideo
ivf=MPEGVideo2
m3u=MPEGVideo
mp3=MPEGVideo
mp2=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
mp2v=MPEGVideo
m1v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wmx=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
dat=MPEGVideo
wpl=MPEGVideo2

[MCICompatibility]
QTWVideo=0x0001
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=1

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=

[embedding]
Package=OLE-pakket,OLE-pakket,packager.exe,picture
midfile=MIDI-sequentie,MIDI Sequence,C:\WINDOWS\mplayer.exe /mid,picture
SoundRec=Wavegeluid,Wavegeluid,C:\WINDOWS\sndrec32.exe,picture
Wordpad.Document.1=WordPad-document,WordPad-document,C:\PROGRA~1\BUREAU~1\WORDPAD.EXE,picture
PBrush=Paintbrush Picture,Paintbrush Picture,C:\PROGRA~1\Bureau~1\MSPAINT.EXE,picture
Paint.Picture=Bitmap-afbeelding,Bitmapafbeelding,C:\PROGRA~1\Bureau~1\MSPAINT.EXE,picture
mplayer=Mediafragment,Mediafragment,C:\WINDOWS\mplayer.exe,picture
Imaging.Document=Image-document,Image-document,C:\WINDOWS\KODAKIMG.EXE,picture
WangImage.Document=Image-document,Image-document,C:\WINDOWS\KodakImg.Exe,picture
avifile=Videofragment,Videofragment,C:\WINDOWS\mplayer.exe /avi,picture

[Extensions]
ZIP=C:\ZIPENU~1\WINZIP\winzip32.exe ^.ZIP
LZH=C:\ZIPENU~1\WINZIP\winzip32.exe ^.LZH
ARJ=C:\ZIPENU~1\WINZIP\winzip32.exe ^.ARJ
ARC=C:\ZIPENU~1\WINZIP\winzip32.exe ^.ARC
TAR=C:\ZIPENU~1\WINZIP\winzip32.exe ^.TAR
TAZ=C:\ZIPENU~1\WINZIP\winzip32.exe ^.TAZ
TGZ=C:\ZIPENU~1\WINZIP\winzip32.exe ^.TGZ
TZ=C:\ZIPENU~1\WINZIP\winzip32.exe ^.TZ
GZ=C:\ZIPENU~1\WINZIP\winzip32.exe ^.GZ
Z=C:\ZIPENU~1\WINZIP\winzip32.exe ^.Z
CAB=C:\ZIPENU~1\WINZIP\winzip32.exe ^.CAB
UU=C:\ZIPENU~1\WINZIP\winzip32.exe ^.UU
UUE=C:\ZIPENU~1\WINZIP\winzip32.exe ^.UUE
XXE=C:\ZIPENU~1\WINZIP\winzip32.exe ^.XXE
B64=C:\ZIPENU~1\WINZIP\winzip32.exe ^.B64
HQX=C:\ZIPENU~1\WINZIP\winzip32.exe ^.HQX
BHX=C:\ZIPENU~1\WINZIP\winzip32.exe ^.BHX
MIM=C:\ZIPENU~1\WINZIP\winzip32.exe ^.MIM
IMA=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.IMA
IMG=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.IMG
IMZ=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.IMZ
DSK=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.DSK
WIL=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.WIL
WLZ=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.WLZ
BWZ=C:\PROGRAM FILES\WINIMAGE\WINIMAGE.EXE ^.BWZ

[Devices]
BitWare Fax Driver=BITWARED,COM3
hp deskjet 3816 series=hpz9xd05,USB/DeskJet_3816/CN2CJ1P27732

[PrinterPorts]
BitWare Fax Driver=BITWARED,COM3,15,45
hp deskjet 3816 series=hpz9xd05,USB/DeskJet_3816/CN2CJ1P27732,15,45

[Sounds]
SystemDefault=,

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
snd=MPEGVideo
ivf=MPEGVideo2
m3u=MPEGVideo
mp3=MPEGVideo
mp2=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
mp2v=MPEGVideo
m1v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wmx=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wpl=MPEGVideo2

[colors]
Scrollbar=216 208 200
Background=0 12 85
ActiveTitle=0 36 104
InactiveTitle=128 128 128
Menu=216 208 200
Window=255 255 255
WindowFrame=0 0 0
MenuText=0 0 0
WindowText=0 0 0
TitleText=255 255 255
ActiveBorder=212 208 200
InactiveBorder=212 208 200
AppWorkspace=128 128 128
Hilight=0 36 104
HilightText=255 255 255
ButtonFace=216 208 200
ButtonShadow=128 128 128
GrayText=128 128 128
ButtonText=0 0 0
InactiveTitleText=216 208 200
ButtonHilight=255 255 255
ButtonDkShadow=64 64 64
ButtonLight=216 208 200
InfoText=0 0 0
InfoWindow=255 255 225
ButtonAlternateFace=184 180 184
HotTrackingColor=0 0 128
GradientActiveTitle=168 204 240
GradientInactiveTitle=192 192 192

[BITWARE]
VersionMajor=4
VersionMinor=90
BuildNumber=73010104
PlatformId=1
CSDVersion=
ProgramPath=C:\BITWARE\
BitWareIni=C:\BITWARE\BITWARE.INI
PBApiIni=C:\BITWARE\PBAPI.INI
BComWinIni=C:\BITWARE\BCOMWIN.INI
PaperSize=9
PaperLength=2970

[BitVoice]
BitVoiceIni=C:\BITWARE\BITVOICE.INI



















[DrawDib]
pnpdrvr.drv 1024x768x16(565 0)=37,5,5,5
DVA=0

[HP DeskJet 400 Series,LPT1]
Cart=1

[WinZip]
Note-1=This section is required only to install the optional WinZip Internet Browser Support build 0231.
Note-2=Removing this section of the win.ini will have no effect except preventing installation of WinZip Internet Browser Support build 0231.
win32_version=R6.3-8.0

[MMAPP]
path=C:\MMAPP\MMAPP.ini



[Mail]
MAPI=1
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1

 

[Pieter Arntz]

Geplaatst door Stem
Waaw, super :thumb: ... echt heel veel bedankt hoor...

Hoe kan ik jou hier ooit voor bedanken

Graag gedaan hoor.

Als je probeert te zorgen dat het jou niet meer overkomt, ben ik al blij.

http://home.planet.nl/~kleyn080/Spywareinfonl.html

Groetjes,

Pieter

 

[Stem]

Dan zal ik da zeker doen...

 

[teckeltje]

Hoi Pieter,

Dan hoop ik je ditmaal voor de laatste keer lastig te vallen. Dit moet m zijn dan.

Logfile of HijackThis v1.97.7
Scan saved at 18:34:47, on 13-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\System32\gearsec.exe
D:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
D:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\set-ups\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [MessengerPlus2] "D:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37914.4382407407
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553560000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Heel hartelijk bedankt voor je hulp.

Groetjes Astrid

:thumb:

 

[tintin]

Geplaatst door Pieter Arntz


Hoi tintin,

Of zou het komen omdat jullie allemaal dezelfde versie van windows hebben?

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Groetjes,

Pieter

HEHEHE

wederom hartelijkdank peter:thumb:

 

[Pieter Arntz]

Geplaatst door teckeltje
Hoi Pieter,

Dan hoop ik je ditmaal voor de laatste keer lastig te vallen. Dit moet m zijn dan.
Heel hartelijk bedankt voor je hulp.

Groetjes Astrid

:thumb:

Hoi teckeltje,

Ik vind hem prima. Graag gedaan hoor.

Groetjes,

Pieter

 

[kidshome]

Ik heb alles gedaan wat je vermeld had in je berichtje alleen ik heb alleen de map MywebSearch kunnen vinden, de andere drie mappen kon ik niet vinden.
Ik denk dat alles nu goed is

Logfile of HijackThis v1.97.7
Scan saved at 20:04:45, on 13-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\WLAN\WLAN\wlanutil.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Documents and Settings\Eigenaar\Local Settings\Temp\Tijdelijke map 2 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\Documents and Settings\Eigenaar\Bureaublad\adjan\adjan\stop.obd
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gerralda.nl.tt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nl7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Wireless LAN Utility.lnk = C:\Program Files\WLAN\WLAN\wlanutil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Onderzoek (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.115.192.223/activex/AxisCamControl.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Nog hartelijk bedankt voor de hulp

 

[Robin Hood]

Ha Pieter,

Geldt het antwoord van jou aan Martien54, ook voor mij?

groetjes,

Robin

 

[Pieter Arntz]

Geplaatst door mariska1972
Beste Pieter,
realplayer inderdaad gedownload van officiele site (download.com).

In de 5 aangemaakte genoemde dll bestanden van de besmettingsdatum zit het hem volgens mij ook niet.

Hoi mariska1972,

Wil je mij een mailtje sturen?
Ik heb hier een programmaatje dat je misschien heel blij zal maken. Het is nog niet getest op een echt slachtoffer, maar misschien wil jij dat wel doen.
=>Klik hier<=

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Robin Hood
Ha Pieter,

Geldt het antwoord van jou aan Martien54, ook voor mij?

groetjes,

Robin

Die snap ik niet. Jouw laatste log is van de 10de.
Daar heb je toch antwoord op gehad?

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door kidshome
Ik heb alles gedaan wat je vermeld had in je berichtje alleen ik heb alleen de map MywebSearch kunnen vinden, de andere drie mappen kon ik niet vinden.
Ik denk dat alles nu goed is

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

Hoi kidshome,

Ik ben niet zo dol op die P2P Networking rommel, maar de rest ziet er netjes uit.

Groetjes,

Pieter

 

[heinott]

hijjackthis log

Eerst gescand met adaware 6.1xxx

Logfile of HijackThis v1.97.7
Scan saved at 19:20:51, on 13-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\sed.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Koen Melis\Bureaublad\dx 9\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.standbyservice.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.standbyservice.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.standbyservice.nl
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5EB9000-0BC4-47B9-84D6-8A11B20A984D}: NameServer = 212.129.201.106

 

[mariska1972]

Pieter , Mail onderweg !

 

[Kesum]

Ik heb een virus op mijn computer.
Kun je daarvan hier iets in vinden.

Met vriendelijke groet,

Kesum

Logfile of HijackThis v1.97.7
Scan saved at 21:23:09, on 13-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security\PCCMAIN.EXE
C:\Documents and Settings\noorlandt\Bureaublad\HijackThis.exe


O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

 

[Systemizer X100]

Hier is nogmaals mijn log. Omdat ik denk dat er meer bij is gekomen.

Logfile of HijackThis v1.97.7
Scan saved at 21:28:41, on 13-5-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\lrdsvr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\System32\intdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [real knob] C:\PROGRA~1\STARTG~1\Two Thunk.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [svcSystem] C:\WINDOWS\System32\lrdsvr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Net Prioritizer.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Natural Reader (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Flash (HKCU)
O15 - Trusted Zone: www.download.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1080385660858
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38073.0439814815
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx

 

[heinott]

De regel met lsass.exe duidt volgens mij op het sasser virus.

Download fix bij symantec.com!

Groet!!

 

[mariska1972]

Pieter,
je mail ontvangen.
Krijg de foutmelding, na unzippen,: nur fuer NT-basierte systeme. Programm wird beendet.
Ik kan de keuze desinfektion starten niet aanklikken.

 

[buffy]

Geplaatst door heinott
De regel met lsass.exe duidt volgens mij op het sasser virus.

Download fix bij symantec.com!

Groet!!

Nee hoor, lsass.exe is op zichzelf een normaal Windowsproces. Zie je processen als avserve.exe en avserve2.exe, dán heb je Sasser te pakken.

 

[Olav]

Re: hijjackthis log

Geplaatst door heinott
C:\WINDOWS\System32\sed.exe

file:///C:/Program%20Files/Onlinedirect/Portal/portal.html


O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe

Hoi Heinott,
klik de bovenstaande zaken aan in Hijack this, sluit alle schermen behalve Hijack this en klik op "fix checked"

Herstart daarna je pc in veilige modus en verwijder

C:/Program%20Files/Onlinedirect/ <-- hele map
C:\WINDOWS\System32\sed.exe (even controleren of die echt weg is. Is die niet weg, alsnog verwijderen.

Olav

 

[Olav]

Geplaatst door Kesum
Ik heb een virus op mijn computer.
Kun je daarvan hier iets in vinden.

Met vriendelijke groet,

Kesum

Logfile of HijackThis v1.97.7
Scan saved at 21:23:09, on 13-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security\PCCMAIN.EXE
C:\Documents and Settings\noorlandt\Bureaublad\HijackThis.exe


O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

Volgens mij is dit niet de hele log.
Ik mis delen. Wil je de hele log plaatsen zodat we die ook voor je kunnen controleren?

Olav