Helpmij tegen spyware offensief (deel 4)

[EPO]

Geplaatst door Pieter Arntz


Kun en wil je Windows updaten of niet?

Groetjes,

Pieter

Windows geupdate en het is nu weg??!!

Ben blij dat het weg is , maar ik begrijp het niet waarom bij een update het nu verdwijnt

Maar ik ben ook maar een zeikende IT-er die alles wilt begrijpen

Bedankt in ieder geval!

 

[Bigfast]

Geplaatst door Olav


D'r is daar wel wat meer aan de hand, zie mijn volgende bericht.

Olav

Dat wist ik van te voren al, alleen als je niet weet wat weg kan, kan je moeilijk van meer dingen zeggen dat ze weg moeten

 

[Olav]

Geplaatst door EPO

Maar ik ben ook maar een zeikende IT-er die alles wilt begrijpen

Als IT-er weet je toch dat er dingen zijn die je niet moet proberen te begrijpen

 

[Pieter Arntz]

Geplaatst door EPO


Windows geupdate en het is nu weg??!!

Ben blij dat het weg is , maar ik begrijp het niet waarom bij een update het nu verdwijnt

Maar ik ben ook maar een zeikende IT-er die alles wilt begrijpen

Bedankt in ieder geval!

Am I imagining things, or did the nature of the protocols handler change with the latest critical update at M$ (for XP)

This file seems to be updated -- windows\system32\catsrvut.dll and
HKEY_CLASSES_ROOT\ProtocolsTable.ProtocolsTable
has turned into
HKEY_CLASSES_ROOT\ProtocolsTable.ProtocolsTable.1 and now points at it.

I'm not sure if this affects anyone's run at the filter keys or not?

Ja dus.

(En ik vertaal het maar niet, aangezien ik dan misschien de essentie mis. )

Scan wel nog even met AdAware. Als de verborgen dll niet verwijderd wordt is één contact met een verkeerde site voldoende om opnieuw de gevolgen te ondervinden.
En dan kom je er niet meer zo gemakkelijk vanaf.

Groetjes,

Pieter

 

[mariska1972]

Beste Pieter,
Scan uitgevoerd op site Nortron.
Ik moest eerst mijn activeX acceptaties allemaal op toestaan zetten voordat de scan uitgevoerd kon worden.
Resultaat van nortron:
Virus Status: Safe!Your computer is free of known viruses and Trojan horses.

Ik heb alle programmatuur die ik in april 2004 (besmettingsmaand) gedownload heb verwijderd van het systeem en opnieuw gedownload.
Vervolgens selectie gedraaid van *.dll bestanden die in april zijn ontstaan (zo verdwenen er een heleboel dll bestanden en zelfs de plugin mappen).
Dan hou ik nog 3 dll bestanden over in de map c:\windows\system die in april zijn ontstaan:

1) zlib.dll (zowel in c:\windows EN in c:\windows\system) 090404
2)rtcres.dll 190404
3) symneti.dll 290404
4) symredir.dll 290404

Besmettingsdatum zeer waarschijnlijk 21 april.
Op deze datum dus 2 bestanden aangemaakt/ gewijzigd bij afsluiten PC
te weten
1) win.ini (heb je reeds gezien Pieter)
2) motown.inf in map C:\windows\inf

Op dit moment is mijn hijack log als volgt.
(ik heb de ekgee regels dus nog niet gefixed)

Logfile of HijackThis v1.97.7
Scan saved at 21:09:24, on 16-5-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\KAZAA LITE K++\KAZAALITE.KPP
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\EKGEE.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: OpinionBar IE monitor - {6607C683-AE7C-11D4-ACD7-0050DAC291A2} - C:\PROGRA~1\OPINIO~1\MYIEMO~2.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E6D92140-CA74-421B-9C40-ADD33F437F03} - C:\WINDOWS\SYSTEM\EKGEE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\NL\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://office.microsoft.com/dutch/TemplateGallery/msotd.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37567.5868287037
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab



Pieter, als ik adaware draai krijg ik uiteraard alle verwijzingen naar de ekgee te zien.
Allen hebben de kwalificatie risico low
Met uitzondering van 3. Deze hebben risico medium.
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :zondag 16 mei 2004 21:41:57
Created with Ad-aware Personal, free for private use.
Using reference-file :01R304 16.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


16-5-2004 21:41:57 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279182379
Threads : 8
Priority : High
FileSize : 532 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel-kerncomponent
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294963635
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bits VxD-berichtserver
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294857127
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860771
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294888687
Threads : 3
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Taakplanner Engine
InternalName : Taakplanner
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:6 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294892407
Threads : 4
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3002.0
ProductVersion : 4.90.3002.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 19-2-2002 21:30:43
Last accessed : 15-5-2004 22:00:00
Last modified : 28-9-2001 15:53:22

#:7 [ccsetmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294789183
Threads : 8
Priority : Normal
FileSize : 229 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 12-9-2003 2:32:48
Last accessed : 15-5-2004 22:00:00
Last modified : 12-9-2003 2:32:48

#:8 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294800347
Threads : 27
Priority : Normal
FileSize : 250 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 12-9-2003 2:34:42
Last accessed : 15-5-2004 22:00:00
Last modified : 12-9-2003 2:34:42

#:9 [ccproxy.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294773603
Threads : 16
Priority : Normal
FileSize : 213 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
OriginalFilename : ccProxy.exe
ProductName : Common Client
Created on : 12-9-2003 2:32:16
Last accessed : 15-5-2004 22:00:00
Last modified : 12-9-2003 2:32:16

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294851199
Threads : 31
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 8-6-2000 15:00:00
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:11 [sndsrvc.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294820315
Threads : 10
Priority : Normal
FileSize : 189 KB
FileVersion : 5.3.1.53
ProductVersion : 5.3
Copyright : Copyright 2002, 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
OriginalFilename : SndSrvc.exe
ProductName : Symantec Security Drivers
Created on : 29-4-2004 19:27:36
Last accessed : 15-5-2004 22:00:00
Last modified : 29-4-2004 19:27:36

#:12 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294749599
Threads : 8
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:13 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294643283
Threads : 6
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:14 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294523687
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:15 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294549983
Threads : 5
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:16 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294542603
Threads : 3
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : Systeemwerkblad-applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R) Millennium
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:17 [starter.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294827435
Threads : 2
Priority : Normal
FileSize : 32 KB
FileVersion : 5.00.05
ProductVersion : 5.00.05
Copyright : Copyright
CompanyName : Creative Technology, Ltd.
FileDescription : This program launches the mixer application.
InternalName : starter
OriginalFilename : starter.exe
ProductName : starter
Created on : 20-2-2001 11:54:42
Last accessed : 15-5-2004 22:00:00
Last modified : 10-8-2000 9:58:46

#:18 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294557107
Threads : 2
Priority : Normal
FileSize : 438 KB
FileVersion : 2, 0, 0, 8
ProductVersion : 2, 0, 0, 8
Copyright : Copyright (c) 2000 Chicony
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
OriginalFilename : mHotkey.res
ProductName : Chicony Multimedia Driver
Created on : 20-2-2001 17:49:14
Last accessed : 15-5-2004 22:00:00
Last modified : 4-7-2000 14:38:04

#:19 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294398023
Threads : 4
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 4-11-2002 21:24:01
Last accessed : 15-5-2004 22:00:00
Last modified : 3-5-2000 15:23:10

#:20 [hpztsb05.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294453363
Threads : 2
Priority : Normal
FileSize : 184 KB
FileVersion : 2,121,0,0
ProductVersion : 2,121,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 26-3-2003 17:41:10
Last accessed : 15-5-2004 22:00:00
Last modified : 6-6-2002 19:31:34

#:21 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294501715
Threads : 35
Priority : Normal
FileSize : 69 KB
FileVersion : 2.0.2.806
ProductVersion : 2.0.2.806
Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 12-9-2003 2:28:14
Last accessed : 15-5-2004 22:00:00
Last modified : 12-9-2003 2:28:14

#:22 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294573447
Threads : 3
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 16-5-2004 11:13:20
Last accessed : 15-5-2004 22:00:00
Last modified : 16-5-2004 11:13:22

#:23 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294382767
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:24 [kazaalite.kpp]
FilePath : C:\PROGRAM FILES\KAZAA LITE K++\
ProcessID : 4294233163
Threads : 11
Priority : Normal
FileSize : 2182 KB
Created on : 16-7-2003 16:19:52
Last accessed : 15-5-2004 22:00:00
Last modified : 16-7-2003 16:19:52

#:25 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294297511
Threads : 9
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 13-8-2003 20:42:53
Last accessed : 15-5-2004 22:00:00
Last modified : 11-12-2002 22:14:32

#:26 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4226072847
Threads : 1
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Besturingssysteem Microsoft
Created on : 4-9-2002 7:10:22
Last accessed : 15-5-2004 22:00:00
Last modified : 4-9-2002 7:10:22

#:27 [msimn.exe]
FilePath : C:\PROGRAM FILES\OUTLOOK EXPRESS\
ProcessID : 4294358163
Threads : 10
Priority : Normal
FileSize : 55 KB
FileVersion : 6.00.2800.1123
ProductVersion : 6.00.2800.1123
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
OriginalFilename : MSIMN.EXE
ProductName : Besturingssysteem Microsoft
Created on : 23-10-2002 14:55:18
Last accessed : 15-5-2004 22:00:00
Last modified : 23-10-2002 14:55:18

#:28 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294433411
Threads : 5
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 1-1-1601
Last accessed : 15-5-2004 22:00:00
Last modified : 8-6-2000 15:00:00

#:29 [msnmsgr.exe]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4226018675
Threads : 12
Priority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0133
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 19-4-2004 3:45:08
Last accessed : 15-5-2004 22:00:00
Last modified : 19-4-2004 3:45:08

#:30 [hpzstatx.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4225929763
Threads : 6
Priority : Normal
FileSize : 156 KB
FileVersion : 1.14.2000
ProductVersion : 1.14.2000
Copyright : Copyright 1999
CompanyName : Hewlett-Packard Company
FileDescription : DJStatusServer Module
InternalName : DJSTATUSSERVER
OriginalFilename : DJSTATUSSERVER.EXE
ProductName : DJStatusServer Module
Created on : 29-12-1999 17:02:54
Last accessed : 15-5-2004 22:00:00
Last modified : 29-12-1999 17:02:54

#:31 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4225930095
Threads : 5
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 24-4-2004 22:06:13
Last accessed : 15-5-2004 22:00:00
Last modified : 12-7-2003 20:00:20

#:32 [wmplayer.exe]
FilePath : C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\
ProcessID : 4225765439
Threads : 21
Priority : Normal
FileSize : 72 KB
FileVersion : 9.00.00.2980
ProductVersion : 9.00.00.2980
Copyright : (C) Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Windows Media Player
InternalName : WMPLAYER.EXE
OriginalFilename : WMPLAYER.EXE
ProductName : Microsoft(R) Windows Media Player
Created on : 12-5-2004 13:24:53
Last accessed : 15-5-2004 22:00:00
Last modified : 11-12-2002 15:27:32

#:33 [winword.exe]
FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\
ProcessID : 4227550395
Threads : 2
Priority : Normal
FileSize : 8604 KB
FileVersion : 9.0.3822
ProductVersion : 9.0.3822
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Word for Windows
InternalName : WinWord
OriginalFilename : WinWord.exe
ProductName : Microsoft Office 2000
Created on : 24-2-2000 16:23:44
Last accessed : 15-5-2004 22:00:00
Last modified : 24-2-2000 16:23:44

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{D842EB61-A56A-4E0B-A5A6-F269BD3867F8}


CoolWebSearch Object recognized!
Type : File
Data : ekgee.dll
Object : c:\windows\system\
FileSize : 30 KB
Created on : 12-5-2004 11:16:38
Last accessed : 15-5-2004 22:00:00
Last modified : 12-5-2004 11:16:40



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E6D92140-CA74-421B-9C40-ADD33F437F03}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6D92140-CA74-421B-9C40-ADD33F437F03}


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 8
Objects found so far: 10


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 11


22:00:33 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:18:33:510
Objects scanned :38022
Objects identified :11
Objects ignored :0
New objects :11




De 3 regdat's hebben risico MEDIUM.

 

[ellenmeisje]

hoi pieter,

deze van mariska1972 lijkt wel heel veel op de startpagina waar ik nog steeds last van heb, ik heb nog steeds niet kunnen vinden waar hij nou verstopt zit.
Hij komt elke dag nog zo'n 5 keer tevoorschijn en dan verwijder ik de .dll maar de oorzaak???? nog steeds niet gevonden.

 

[Pieter Arntz]

Hoi mariska1972,

Download en unzip: "StartDreck"
Dubbelklik: 'StartDreck.exe' > config Unmark all
Vink alleen deze aan:
Registry->run keys
System/drivers> Running processes
en klik op OK

Zoek in het log naar dit gedeelte:

»Local Machine
»RunServicesOnce
**ozkc=rundll32 C:\WINDOWS\SYSTEM\XXXXX.DLL,StreamingDeviceSetup

XXXXX.DLL is dan degene die verwijderd moet worden.

Groetjes,

Pieter

 

[Olav]

Geplaatst door ellenmeisje
hoi pieter,

deze van mariska1972 lijkt wel heel veel op de startpagina waar ik nog steeds last van heb, ik heb nog steeds niet kunnen vinden waar hij nou verstopt zit.
Hij komt elke dag nog zo'n 5 keer tevoorschijn en dan verwijder ik de .dll maar de oorzaak???? nog steeds niet gevonden.

Hoi Ellenmeisje,
Pieter is al een tijdje bezig met Mariska naar de oorsprong van haar probleem te zoeken.
Bijna ieder probleem hier is uniek. Zou jij je Hijack This log hier willen plaatsen zodat we jou misschien wel er vanaf kunnen helpen, want alleen een dll-etje verwijderen werkt niet.

Groeten,
Olav

 

[ellenmeisje]

hoi, pieter was al een poosje met mijn .dll bezig maar hier is mijn hijack this log, ik heb gescand met alles wat ik maar van pieter gekregen heb.
Dit log is gemaakt nadat de startpagina zich weer aangemeld had.

Logfile of HijackThis v1.97.7
Scan saved at 22:45:24, on 16-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\PowerS.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\PV-CX881PL+\TVRMVCR.EXE
C:\Program Files\PV-CX881PL+\TVSCHL.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\FTDv3\FTDv3.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Documents and Settings\smit\Mijn documenten\Mijn ontvangen bestanden\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ddbjd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\ddbjd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\acrobat reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [siabcs] C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\PV-CX881PL+\TVRMVCR.EXE
O4 - Global Startup: TVSCHL.lnk = C:\Program Files\PV-CX881PL+\TVSCHL.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

[mariska1972]

StartDreck (build 2.1.5 public BETA) - 2004-05-16 @ 22:45:30
Platform: Windows ME (Win 4.90.3000 )

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*EnsoniqMixer=starter.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*CHotKey=mHotkey.exe
*LoadQM=loadqm.exe
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb05.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*URLLSTCK.exe=C:\Program Files\Norton Internet Security\UrlLstCk.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*ccProxy=C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
*SndSrvc=C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FF0F242B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFF1B3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFE51A7=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE5FE3=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFECCEF=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFEDB77=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
*FFFD483F=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
*FFFD73DB=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
*FFFD0B63=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
*FFFE3A7F=C:\WINDOWS\EXPLORER.EXE
*FFFDC1DB=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
*FFFCAD9F=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
*FFFB0E53=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFF93B27=C:\WINDOWS\TASKMON.EXE
*FFF9A1DF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF9850B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFDDDAB=C:\WINDOWS\STARTER.EXE
*FFF9BDB3=C:\WINDOWS\MHOTKEY.EXE
*FFF75047=C:\WINDOWS\LOADQM.EXE
*FFF82873=C:\WINDOWS\SYSTEM\HPZTSB05.EXE
*FFF8E553=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
*FFF9FD87=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFF714AF=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF4CC4B=C:\PROGRAM FILES\KAZAA LITE K++\KAZAALITE.KPP
*FFF5C7A7=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FBE4C10F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF7DA83=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FBE3ED73=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
*FBE29223=C:\WINDOWS\SYSTEM\HPZSTATX.EXE
*FFF07117=C:\ZIP EN UNZIP\WINZIP\WINZIP32.EXE
*FBFBC6B7=C:\WINDOWS\TEMP\STARTDRECK.EXE
»Application specific


Pieter dit is dan de log.
Ik achterhaal niet het door jou bedoelde dll bestandje of ??

 

[Olav]

Geplaatst door ellenmeisje
hoi, pieter was al een poosje met mijn .dll bezig maar hier is mijn hijack this log, ik heb gescand met alles wat ik maar van pieter gekregen heb.

Oooh sorry, dat wist ik niet.
Welke stappen neem je als startpagina die weer terug is? En wat verwijder je precies uit de log zoals je hem hierboven hebt geplaatst?

Groeten,
Olav

 

[ellenmeisje]

ik verwijder de .dll met CWShredder, dan duurt het weer een tijdje voordat hij weer tevoorschijn komt.

dit is de log nadat CWShredder 2 bestanden heeft verwijderd
Logfile of HijackThis v1.97.7
Scan saved at 23:04:59, on 16-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\PowerS.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\PV-CX881PL+\TVRMVCR.EXE
C:\Program Files\PV-CX881PL+\TVSCHL.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\FTDv3\FTDv3.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\smit\Mijn documenten\Mijn ontvangen bestanden\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\acrobat reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [siabcs] C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\PV-CX881PL+\TVRMVCR.EXE
O4 - Global Startup: TVSCHL.lnk = C:\Program Files\PV-CX881PL+\TVSCHL.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

groeten,
Ellen

 

[IOWA]

lastpak verwijderd!!!!

Ik heb het advies van Willhackforbeer nog een keer uitgevoerd in de veilige modus, nadat ik eerst nog een scan heb laten doen door Spybot.

Resultaat: de lastpak trojan ( ik denk dat het er een was) is verwijderd.

Ik heb nu weer een "maagdelijke" hijackthis log, kijk maar:

Logfile of HijackThis v1.97.7
Scan saved at 1:06:38, on 15-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Free Surfer\fs20.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Util\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sonic.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Onderzoekscentrum (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Bedankt voor de goede adviezen.

:thumb: :thumb:

 

[Olav]

Hoi Ellenmeisje
Hmmm, ziet er idd schoon uit zo.
Als je met CWShredder hebt gefixed. Controleer je dan in veilige modus of dit bestand: C:\WINDOWS\System32\ddbjd.dll ook echt weg is

Misschien een andere weg. Heb je Messenger Plus al eens gedeinstalleerd en de nieuwste versie erop gezet ZONDER sponsor programma?
Die Messenger Plus met sponsor programma komt namelijk ook met die rotzooi.
De-installeren kan gewoon via Configuratiescherm --> Toevoegen / verwijderen software.
Tijdens het installeren van Messenger Plus kies je als eerste de custom installatie en niet het standaard installatie. Verder moet je goed lezen want dat sponsor programma is namelijk zo ingepakt alsof het lijkt dat je instemt met algemene voorwaarden, terwijl je instemt met het installeren van die rotzooi.

Als dat ook allemaal niet helpt ben ik bang dat ik je niet meer kan helpen en dat je Pieter en Mariska maar verder moet volgen.
Succes,
Olav

 

[gnoe]

ik kan mijn startpagina niet meer instellen
weet iemand wat er schort?

Logfile of HijackThis v1.97.7
Scan saved at 23:28:17, on 16-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\RealPlayer\RealPlay.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\wn32.exe
C:\Program Files\LookNMeet\Agent.exe
C:\Program Files\OpenOffice\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\FileZilla\filezilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\peeter\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: AdsManager Class - {D1C8F9CE-563E-11D8-813C-005022E14DE2} - C:\Program Files\LookNMeet\AddAPI.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1EE67-26DC-4E73-B65D-8DF1B8BC9660} - C:\WINDOWS\System32\biaoida.dll
O2 - BHO: System - {D1C8F9CE-563E-11D8-813C-005022E14DE2} - C:\Program Files\LookNMeet\AddAPI.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [VideoDriver] C:\WINDOWS\System32\wn32.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [LookNMeet] C:\Program Files\LookNMeet\Agent.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: LookNMeet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C9A703E2-3145-11D8-813C-005022E14DE2} (Installer Class) - http://www.looknmeet.be:8080/lnm_v4/agent/LNMAgentInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

alvast bedankt

 

[smallcat]

Logfile

Hallo mensen,

Gaarne ook onnodige startup items verwijderen.

De klacht was dat IE niet meer wilde opstarten.
Ik heb gescand met Ad-Aware en Spybot en ontzettend veel spyware weggehaald.

N.a.v. alarmerend berichten over dure inbelverbindingen heb ik Dialer Detect geïnstalleerd.

IE start nu weer op, maar ik krijg geen verbinding met internet. Dus het probleem is nog niet opgelost.

Derhalve onderstaand mijn logbestand.

Logfile of HijackThis v1.97.7
Scan saved at 16:52:36, on 14-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\toskrnln.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\FSG\DialerDetect\dd.exe
C:\WINDOWS\webshots.scr
C:\DOCUME~1\FRANSH~1\LOCALS~1\Temp\FelixTemp\Felix2.exe
C:\Documents and Settings\Frans Hoebee\Mijn documenten\Downloads\Hijack\Hijack Unzipped\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [toskrnln] C:\WINDOWS\System32\toskrnln.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: Dialer Detect.lnk = C:\Program Files\FSG\DialerDetect\dd.exe
O4 - Startup: FELIX2.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

Alvast bedankt!
Ineke

 

[JoopF]

Re: Re: Alsnog

Geplaatst door Pieter Arntz


Hoi JoopF,

Vink de bovenstaande items aan in HijackThis, sluit alle vensters en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter

Bedankt,
Item gedelete. Helaas is het probleem nog niet weg.
Overigens krijg ik steeds mails met antwoorden op de vraag 'help mij tegen spywareoffensief' doch die vraag heb ik nooit gesteld.

Groets Joop

 

[Olav]

Re: Re: Re: Alsnog

Geplaatst door JoopF

Overigens krijg ik steeds mails met antwoorden op de vraag 'help mij tegen spywareoffensief' doch die vraag heb ik nooit gesteld.

Groets Joop

Hallo JoopF
Dat komt, simpel gezegd, doordat je hier 1x een vraag hebt gesteld. Elke keer als er een antwoord komt, dan komt er een mailtje jouw kant op. Je kan je voor deze post afmelden als je geen mailtjes meer wilt hebben tot dat jezelf weer een nieuwe vraag stelt door naar je profiel te gaan (knop rechts bovenaan de pagina).
Daar staat "Aangemelde vragen met nieuwe berichten sinds je laatste bezoek"
Daaronder staat "Helpmij tegen spyware offensief (deel 4)" daar achter in wat kleinere lettertjes "[afmelden]" Klik op dat "afmelden".

Staat dat "Helpmij tegen spyware offensief (deel 4)" er nou niet, klik dan op "(bekijk alle aangemelden onderwerpen) " en klik daar dan op "[afmelden]" achter deze vraag.
Succes.
Olav

 

[Olav]

Geplaatst door gnoe
ik kan mijn startpagina niet meer instellen
weet iemand wat er schort?

C:\Documents and Settings\peeter\Desktop\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\biaoida.dll/sp.html (obfuscated)


O2 - BHO: (no name) - {4DF1EE67-26DC-4E73-B65D-8DF1B8BC9660} - C:\WINDOWS\System32\biaoida.dll

Hallo gnoe,
Op de eerste plaats adviseer ik je om HijackThis in een eigen aparte map te zetten voor je gaat scannen en fixen. HijackThis maakt namelijk backups en plaatst die in de map / plaatst vanwaar Hijack This runt. In jouw geval wordt dat dus op je bureaublad.

Ten tweede: Wees voorzichtig met LookNMeet --> http://www.consumentenbond.nl/doemee/157316/165531/165535/?ticket=nietlid&view=forum_reacties&threadid=6482]reden[/url] Daarbij vertouw ik het niet helemaal dat zo'n website software bij je moet installeren. Beetje onzin. Er is ook nergens geen informatie terug te vinden (althans niet voordat je je inschrijft) over die software, wat het is, wat het doet etc.

Ok:
Of we je kunnen helpen weet ik niet, maar we gaan het proberen. (lees hier waarom)
Download ten eerste CWShredder, maar run hem nog niet.
Vink de bovenstaande items aan in je Hijack This, sluit alle schermen behalve Hijack This en klik op "Fix checked".

Herstart daarna de pc in veilige modus en controleer of
C:\WINDOWS\System32\biaoida.dll echt weg is.
Herstart je PC nog niet, maar start nu CWShredder, klik op de knop Fix en volg de aanwijzingen.

Herstart de pc nu weer normaal op en controleer met Hijack This of het allemaal ok is.

Succes,
Olav

 

[Olav]

Re: Logfile

Geplaatst door smallcat
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe


R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

Alvast bedankt!
Ineke

Hallo Ineke,
Op de eerste plaats kwam ik een bestand tegen wat ik niet ken en waar ik ook geen informatie over kon vinden, C:\WINDOWS\System32\toskrnln.exe. Als je er met je rechtermuis knop op gaat staan en klikt op eigenschappen. Kijk daar eens in tabblad Versie welke informatie daar staat. Kan je die even doorgeven hier?

je zegt met Ad-aware te hebben gescanned. Heb je wel Ad-aware versie 6.181 gebruikt en geupdate?
Die zou namelijk die alchem.exe eruit moeten halen en kunnen fixen.
Scan eerst daar anders nog eens mee.

Download daarna CWShredder, maar run hem nog niet.
Vink alle bovenstaande items aan in Hijack This en sluit alle vensters, behalve Hijack This zelf. Klik vervolgens op Fix Checked.
Herstart de PC in veilige modus en verwijder:
C:\Program Files\MyWebSearch\ <-- hele map.

Herstart de pc nog niet, maar start nu CWShredder op en klik op de knop Fix. Volg de aanwijzingen.

Herstart de pc nu nomaal op en scan nogmaals met Hijack This om te controleren.

Succes,
Olav
PS zie volgend bericht voor onnodige opstarts