Helpmij tegen spyware offensief (deel 4)

[kees326]

Sorry, ik begreep te laat dat de txt file niet als bijlage bijgevoegd moest worden, maar in dit veld geplakt moest worden.

Logfile of HijackThis v1.97.7
Scan saved at 23:06:32, on 4-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Klant\Mijn documenten\kjo\hijack\HijackThis.exe
D:\Documents and Settings\Klant\Mijn documenten\kjo\hijack\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jfc.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O1 - Hosts: 198.65.164.171 ehttp.cc
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 www.00hq.com
O1 - Hosts: 198.65.164.168 winshow.biz
O1 - Hosts: 198.65.164.168 www.winshow.biz
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 www.8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: 198.65.164.170 www.search-aid.com
O1 - Hosts: 198.65.164.170 www.search2004.net
O1 - Hosts: 198.65.164.170 alfaporn.com
O1 - Hosts: 198.65.164.170 toteen.com
O1 - Hosts: 198.65.164.170 uuporn.com
O1 - Hosts: 198.65.164.170 cz3.clickzs.com
O1 - Hosts: 198.65.164.170 cz4.clickzs.com
O1 - Hosts: 198.65.164.170 cz8.clickzs.com
O1 - Hosts: 198.65.164.170 cz6.clickzs.com
O1 - Hosts: 198.65.164.170 cz7.clickzs.com
O1 - Hosts: 198.65.164.170 cz9.clickzs.com
O1 - Hosts: 198.65.164.170 cz5.clickzs.com
O1 - Hosts: 198.65.164.170 xnxxx.com
O1 - Hosts: 198.65.164.170 www.xnxxx.com
O1 - Hosts: 198.65.164.170 hot-gallery.com
O1 - Hosts: 198.65.164.170 www.hot-gallery.com
O1 - Hosts: 198.65.164.170 big-penis.day4sex.com
O1 - Hosts: 198.65.164.170 penis-enlargement.day4sex.com
O1 - Hosts: 198.65.164.170 www.day4sex.com
O1 - Hosts: 198.65.164.170 day4sex.com
O1 - Hosts: 198.65.164.170 www.superpornlist.com
O1 - Hosts: 198.65.164.170 superpornlist.com
O1 - Hosts: 198.65.164.170 www.medical-penis-enlargement.com
O1 - Hosts: 198.65.164.170 www.penisimprovement.com
O1 - Hosts: 198.65.164.170 www.penisenlargementmagazine.com
O1 - Hosts: 198.65.164.170 www.americas-drugstore.com
O1 - Hosts: 198.65.164.170 www.power-enlarge.com
O1 - Hosts: 198.65.164.170 www.newsexgate.com
O1 - Hosts: 198.65.164.170 newsexgate.com
O1 - Hosts: 198.65.164.170 www.theadultgate.com
O1 - Hosts: 198.65.164.170 theadultgate.com
O1 - Hosts: 198.65.164.170 www.overmix.com
O1 - Hosts: 198.65.164.170 overmix.com
O1 - Hosts: 198.65.164.170 www.hornygate.com
O1 - Hosts: 198.65.164.170 hornygate.com
O1 - Hosts: 198.65.164.170 www.sexxx-start.com
O1 - Hosts: 198.65.164.170 sexxx-start.com
O1 - Hosts: 198.65.164.170 www.logtoporn.com
O1 - Hosts: 198.65.164.170 logtoporn.com
O1 - Hosts: 198.65.164.170 www.3xpower.com
O1 - Hosts: 198.65.164.170 3xpower.com
O1 - Hosts: 198.65.164.170 www.hardcorevibe.com
O1 - Hosts: 198.65.164.170 hardcorevibe.com
O1 - Hosts: 198.65.164.170 www.uuporn.com
O1 - Hosts: 198.65.164.170 adp.ikena.com
O1 - Hosts: 198.65.164.170 orbitexplorer.com
O1 - Hosts: 198.65.164.170 www.orbitexplorer.com
O1 - Hosts: 198.65.164.170 sqwire.com
O1 - Hosts: 198.65.164.170 www.sqwire.com
O1 - Hosts: 198.65.164.170 browserwise.com
O1 - Hosts: 198.65.164.170 www.browserwise.com
O1 - Hosts: 198.65.164.170 xjupiter.com
O1 - Hosts: 198.65.164.170 www.xjupiter.com
O1 - Hosts: 198.65.164.170 www.f1organizer.com
O1 - Hosts: 198.65.164.170 www.r-vision.org
O1 - Hosts: 198.65.164.170 www3.abcsearch.com
O1 - Hosts: 198.65.164.170 iads.adroar.com
O1 - Hosts: 198.65.164.170 lists.adroar.com
O1 - Hosts: 198.65.164.170 bar.baidu.com
O1 - Hosts: 198.65.164.170 www.browsertoolbar.com
O1 - Hosts: 198.65.164.170 www.bulla.com
O1 - Hosts: 198.65.164.170 cantfind.com
O1 - Hosts: 198.65.164.170 www.cantfind.com
O1 - Hosts: 198.65.164.170 c.clickaire.com
O1 - Hosts: 198.65.164.170 default-homepage-network.com
O1 - Hosts: 198.65.164.170 www.default-homepage-network.com
O1 - Hosts: 198.65.164.170 www.ebates.com
O1 - Hosts: 198.65.164.170 errorpage404.com
O1 - Hosts: 198.65.164.170 www.errorpage404.com
O1 - Hosts: 198.65.164.170 www.escorcher.com
O1 - Hosts: 198.65.164.170 www.ezcybersearch.com
O1 - Hosts: 198.65.164.170 featured-results.com
O1 - Hosts: 198.65.164.170 www.find-now.info
O1 - Hosts: 198.65.164.170 www1.baidu.com
O1 - Hosts: 198.65.164.170 www.firstpop.com
O1 - Hosts: 198.65.164.170 coreg.flashtrack.net
O1 - Hosts: 198.65.164.170 www.flashtrack.net
O1 - Hosts: 198.65.164.170 www.freehistorycleaner.com
O1 - Hosts: 198.65.164.170 getupdate.com
O1 - Hosts: 198.65.164.170 www.getupdate.com
O1 - Hosts: 198.65.164.170 auto.search.msn.com
O1 - Hosts: 198.65.164.170 server224.smartbotpro.net
O1 - Hosts: 198.65.164.170 ie.marketdart.com
O1 - Hosts: 198.65.164.170 www.idgsearch.com
O1 - Hosts: 198.65.164.170 www.alfa-search.com
O1 - Hosts: 198.65.164.170 webcoolsearch.com
O1 - Hosts: 198.65.164.170 i-lookup.com
O1 - Hosts: 198.65.164.170 www.hand-book.com
O1 - Hosts: 198.65.164.170 allneedsearch.com
O1 - Hosts: 198.65.164.170 www.rightfinder.net
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38037.3079398148
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

[jbosman]

Geplaatst door Pieter Arntz


Mooi zo, lees dit nog even. Vooral het onderste deel in jouw geval.

http://www.helpmij.nl/forum/showthread.php?threadid=162413

Groetjes,

Pieter

Hoi Pieter,
Ik begrijp het. Dankjewel voor alle moeite!
Groetjes,
jeannette

 

[espoir007]

Geplaatst door Pieter Arntz


Hoi espoir007,

*** mogen weg.

De eerste ken ik niet en ik kan er ook niet veel over vinden.
Enig idee waar het voor is?

Groetjes,

Pieter

dank je...ik ben de hijackthis kwijt, morgen probeer ik voor jou de antwoord te vinden...
:thumb:

 

[kellemen]

spyware

zit hieLogfile of HijackThis v1.97.7
Scan saved at 0:19:10, on 5-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zdnet.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek (HKLM)
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {5623F093-DACE-4027-ABBE-751F5BB7878E} (PXSLoader Class) - http://plugin.payload.nl/run/loader/payloadloader.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38052.0168287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Tima]

Geplaatst door Pieter Arntz


Hoi Tima,

Je log was goed ja.
De DNS servers van de computer nog even opgezocht, die zijn van Wanadoo, dus daar zou het ook niet aan mogen liggen.
Als het bestand hosts (zonder iets ervoor of erachter) niet bestaat hoef je niet verder te zoeken. Dan ligt het daar ook niet aan.

Je zei dat het iets illegaals betrof. Zou iets het er uit kunnen filteren?

Groetjes,

Pieter

Nou ja illegaal, laat ik het zo zeggen: ik dacht eerst dat het aan stichting Brein lag . Nee, ik ben uploader op een downloadsite. Dus voor Helpmij en de wet illegaal.

Maar hij doet het weer. Vanmorgen de pc aangezet en het ging weer. Jouw antwoord heb ik wel opgeslagen, want je weet maar nooit.

Pieter bedankt maar weer:thumb:
:love:

 

[Pieter Arntz]

Geplaatst door kees326

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Hoi kees326,

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op en verwijder:
C:\Program Files\MyWay <= de hele map
C:\Program Files\Common files\updmgr <= de hele map

Zoek dan dit bestand op:
C:\WINDOWS\system32\drivers\etc\hosts

De hosts file is een soort telefoonboek en dat van jou ziet er een beetje raar uit. Je wordt van de ene spywaresite naar de andere doorgestuurd.

Je kunt twee dingen doen eigenlijk:
- het hosts bestand vernietigen als je er verder niks nuttigs mee doet.

- het hosts bestand openen met kladblok en dan klik je op bewerken > vervangen > in het bovenste venster 198.65.164 en in het onderste 127.0.0 en dan op alles vervangen.
Daardoor worden alle aanvragen voor die sites naar je eigen computer teruggeleid en kun je ze nooit meer bezoeken (en er dus ook niet meer besmet raken).

Groetjes,

Pieter

 

[Pieter Arntz]

Re: spyware

Geplaatst door kellemen
{5623F093-DACE-4027-ABBE-751F5BB7878E} (PXSLoader Class) - http://plugin.payload.nl/run/loader/payloadloader.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx

Hoi kellemen,

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Tima

Maar hij doet het weer.

Mooi zo.

Groetjes,

Pieter

 

[Danee]

Sorry, blond!

Ok, we proberen het nog een keer want ik had volgens mij het log niet op de juiste plek gezet. Ik hoop nu wel...

Logfile of HijackThis v1.97.7
Scan saved at 11:24:11, on 5-5-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\SYSTEM32\Mounter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trust keyboard utility\1.0\KbdAp32A.exe
C:\WINDOWS\SPMSMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SHIMGL~1\mapi amok.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Danielle\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MANAGERWINDOW - {EC2DF0CC-C5FF-F6A1-F100-00E53928C717} - C:\PROGRA~1\dashmix\parttons.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Mustek MDC 3000] C:\WINDOWS\SYSTEM32\Mounter.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMTRUSTKB] C:\Program Files\Trust keyboard utility\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [locks camp] C:\PROGRA~1\SHIMGL~1\mapi amok.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spx: C:\Program Files\OpenSpxPlugin\npspx32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - http://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[BK4LiFe]

Help?

Alles wat niet boeiend is mag er wat mij betreft af, Alvast bedankt


Logfile of HijackThis v1.97.7
Scan saved at 12:14:28, on 5-5-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\NORMAN\NVC\BIN\ZANDA.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\PROGRAM FILES\ALWIL ANTIVIRUS SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\NORMAN\NVC\BIN\CCLAW.EXE
C:\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\NORMAN\NVC\BIN\NJEEVES.EXE
C:\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\NORMAN\NVC\BIN\ZLH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL ANTIVIRUS SOFTWARE\AVAST4\ASHMAISV.EXE
C:\NORMAN\NVC\BIN\NYMSE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NORMAN\NVC\BIN\NIU.EXE
C:\PROGRAM FILES\NTS\WANADOO CABLE\APP\ENTERNET.EXE
C:\PROGRAM FILES\ALWIL ANTIVIRUS SOFTWARE\AVAST4\SETUP\AVAST.SETUP
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\BURçMAP\TEGENRECLAMEPOPUPS\POPUPPOPPER\POPUPPER\POPLIB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILA~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Antivirus Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Save Flash - res://C:\PROGRAM FILES\FLASH SAVING PLUGIN\FLASHSBUTTON.DLL/210
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Flash (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37937.1450925926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/1d/player.virtools.com/downloads/player/Install2.1/Installer.exe

 

[Pieter Arntz]

Re: Sorry, blond!

Geplaatst door Danee

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O3 - Toolbar: MANAGERWINDOW - {EC2DF0CC-C5FF-F6A1-F100-00E53928C717} - C:\PROGRA~1\dashmix\parttons.dll (file missing)

O4 - HKLM\..\Run: [locks camp] C:\PROGRA~1\SHIMGL~1\mapi amok.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe

Hoi Danee,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veiige modus en verwijder:
C:\Program Files\dashmix <= de hele map
C:\Program Files\SHIMGL~1 <= de hele map met het bestand mapi amok.exe erin.
C:\Program Files\TV Media <= de hele map
C:\WINDOWS\mslagent <= de hele map

Groetjes,

Pieter

 

[Pieter Arntz]

Re: Help?

Geplaatst door BK4LiFe


O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot ***
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime ***

Hoi BK4LiFe,

*** zijn overbodig volgens mij.

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Geen problemen met Norman en Avast naast elkaar?

Groetjes,

Pieter

 

[creabea]

hier mijn logfile, alles wat niet echt belangrijk is mag weg, heb hiervoor eerst gescand met adaware 6

Logfile of HijackThis v1.97.7
Scan saved at 13:02:10, on 5-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\PowerDesk8\PDeskNet.exe
F:\Programs\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startpagina.nl/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\System32\PowerDesk8\PowerDesk.exe /silent
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [lml] C:\WINDOWS\lml.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://www.advnt01.com/dialer/olanda_ver3.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1076515555593
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabrikasi.com/nl/2/060187nl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37956.2536921296
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

alvast weer bedankt voor de genomen moeite

 

[wajang]

Weer ééntje van een kennis.
De klacht is dat MSN steeds als startpagina wordt ingesteld en Norton wordt uitgezet.
Geheel is gescand met Ad-Aware en met Norton.

Logfile of HijackThis v1.97.7
Scan saved at 13:12:35, on 5-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RamActive\RamActive.exe
C:\PROGRA~1\BATBUR~1\Bias drive.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AntiCapsLock\CAPS.EXE
C:\Program Files\DLMage\DnloadMage.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\fred leurs\Local Settings\Temporary Internet Files\Content.IE5\K9U74TYZ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linktipper.nl/leden/start.php?lid=4019
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {3009E25F-C1D7-DFD3-E393-BA4B7887072B} - C:\PROGRA~1\TOOLAM~1\inside keep.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Love Active Option - {99E229C1-7CC5-C314-4449-11E3E1B63571} - C:\PROGRA~1\TOOLAM~1\inside keep.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [RamActive] C:\Program Files\RamActive\RamActive.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DATE ANTI] C:\PROGRA~1\BATBUR~1\Bias drive.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Download Mage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Global Startup: AntiCapsLock.lnk = C:\Program Files\AntiCapsLock\CAPS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Danee]

Pieter rulez ook

:thumb:

Dank je wel voor je hulp zover Pieter, ik ga gelijk aan de slag. Ik was gelukkig al wel zo snugger om een aparte map voor Hijack aan te maken, dit op advies van Buffy en Raisa. Maarre, ik geef dit allemaal wel door aan de Kerstman, want je/jullie verdienen wel iets voor deze hulp aan ons allemaal. Ik zal nog even melden of het allemaal gelukt is, een beetje feedback is altijd fijn.

:love:

 

[Pieter Arntz]

Geplaatst door creabea

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe ***

O4 - HKLM\..\Run: [lml] C:\WINDOWS\lml.exe

O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://www.advnt01.com/dialer/olanda_ver3.CAB

O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabrikasi.com/nl/2/060187nl.exe

Hoi creabea,

Nog steeds open huis voor dialers?

*** is onnodig

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veiige modus en verwijder:
C:\WINDOWS\lml.exe

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door wajang

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {3009E25F-C1D7-DFD3-E393-BA4B7887072B} - C:\PROGRA~1\TOOLAM~1\inside keep.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Love Active Option - {99E229C1-7CC5-C314-4449-11E3E1B63571} - C:\PROGRA~1\TOOLAM~1\inside keep.dll

O4 - HKLM\..\Run: [DATE ANTI] C:\PROGRA~1\BATBUR~1\Bias drive.exe

O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://bins.roings.com/mp3.cab

Hoi wajang,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit dan alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\Program Files\TOOLAM~1 <= de hele map met inside keep.dll
C:\Program Files\BATBUR~1 <= de hele map met Bias drive.exe er in
C:\Program Files\Toolbar <= de hele map

Groetjes,

Pieter

 

[creabea]

hoi Pieter,

alles gedaan zoals jij beschreef, maar kon C:\WINDOWS\lml.exe
niet terug vinden in de veilige modus, heb toen maar "alle bestanden laten zien" ook nog even aangezet, maar daar ook niet meer te zien.
Had deze al eens eerder verwijderd, maar niet in veilige modus, misschien dat ie daarom terugkwam.

Nogmaals bedankt, je verdient een pluim voor alles wat je hier doet :thumb:

 

[Pieter Arntz]

Geplaatst door creabea

alles gedaan zoals jij beschreef, maar kon C:\WINDOWS\lml.exe
niet terug vinden in de veilige modus, heb toen maar "alle bestanden laten zien" ook nog even aangezet, maar daar ook niet meer te zien.
Had deze al eens eerder verwijderd, maar niet in veilige modus, misschien dat ie daarom terugkwam.

Oh, maar als je het bestand al eerder verwijderd hebt kwam dat daardoor. Dat hij nog steeds in je log stond betekend dat Windows hem nog steeds probeerde op te starten.

Groetjes,

Pieter

 

[poekie]

Hoi Pieter

Net toen ik gisteren om de een of andere reden de hele avond helpmij niet kon bereiken, krijg ik zo'n irritante startpagina. Search for... , geloof ik. Nu heb ik m'n nieuwe log vergeleken met degene die jij pas voor mij gecheckt hebt, en gewist wat er vorige keer niet bij stond, ongeveer dan. De pagina is vooalsnog weg. Kun jij zien of het nu weer safe is?

PS: De mediaspeler9 (windows) vroeg mijn firewall om toegang tot het internet. Toen ik ja klikte, kreeg ik deze (bijlage) virusmelding. Ik neem aan dat dit de oorzaak van de startpagina was? Mijn mediaspeler deed het trouwens niet meer na de fix.

Groetjes, Poekie


Logfile of HijackThis v1.97.7
Scan saved at 9:07:18, on 6-5-2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\loadqm.exe
C:\WINNT\TPPALDR.EXE
C:\WINNT\tppnttry.exe
C:\WINNT\Mixer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
D:\Exe downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by7fd.bay7.hotmail.msn.com/c...m___cacheh=1&hm___fl=attrd&domain=hotmail.com (obfuscated)
O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe:thumb: :thumb: