Helpmij tegen spyware offensief (deel 4)

[Pimzoektbaasje]

wind ????

Hallo Olav,

ik heb geen idee wat wind.exe is

maar in ieder geval bedankt voor je reactie op mijn hijacklog.

groetjes Pim

 

[mverlaan]

Hoy,

Ik heb gescand met adaware en veel registervermeldingen verwijderd, maar omdat de computer met WinXP home toch nog wat langzamer is als dat ik gewend ben, even een Hijackthis logje. Heeft iemand mischien tijd?

bedankt al vast.

Logfile of HijackThis v1.97.7
Scan saved at 9:24:57, on 14-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\pbxxto.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20E1F252-885F-424D-952A-174B443C240F} - C:\WINDOWS\fwbzwsmf.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ongebuh] C:\WINDOWS\pbxxto.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O8 - Extra context menu item: Zoeken met Google - C:\WINDOWS\WEB\google.htm
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38080.0460763889
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/serialzip.cab

 

[sephiroth]

Hieronder vind je de log file van hijack. na scan & clean met spybot 1.3 Kan je me ALLE onodige stuff aanduiden aub ?

Telkens als ik mijn pc opstart of herstart krijg ik een melding "gelieve cd2 met setup.exe in te steken". Ik kan dit annuleren maar het komt steeds terug. Blijkbaar heb ik ooit een installatie niet afgemaakt. Nu, weet er iemand hoe ik dit vervelend probleem kan oplossen ? In bijlage vinden jullie jpg van "opstarten" in MSCONFIG.
- - - -
TX ³
- - - -

Logfile of HijackThis v1.97.7
Scan saved at 11:31:43, on 14/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\adiras.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jan VDH\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Corel Print Office 2000] "C:\WINDOWS\COREL\StpLnch.exe" /setup="E:" /rspfile="C:\WINDOWS\Corel\Corel Print Office 2000\5\RECOVERY.CSW" /g+ /close /df="setup\projectnl.csw, setup\compnl.csw" /LANG=NL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8119.2806134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab

 

[Jan van Asseldonk]

Hoi Pieter,

het heeft even geduurd maar hierbij de gegevens die verzameld zijn met findall.

Inhoud output.txt:
--===**'FIND-ALL' VERSION 3, 5/11**===--


Thu May 13 20:06:36 2004 -- Results:
*System Info:

Microsoft Windows XP [versie 5.1.2600]
C: "BOOT" (1862:BAB3) - FS:NTFS clusters:4k
Total: 60 011 610 112 [56G] - Free: 39 565 180 928 [37G]


Locked or 'Suspect' file(s) found...


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41353F8B-78CE-48A5-BE44-153ED293D192}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

application/octet-stream
{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\System32\mscoree.dll

application/x-complus
{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\System32\mscoree.dll

application/x-msdownload
{1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\System32\mscoree.dll

Class Install Handler
{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
C:\WINDOWS\system32\urlmon.dll

deflate
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

gzip
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

lzdhtml
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

text/html
{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB}
C:\WINDOWS\mrhop.dll

text/plain
{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB}
C:\WINDOWS\mrhop.dll

text/webviewhtml
{733AC4CB-F1A4-11d0-B951-00A0C90312E1}
%SystemRoot%\system32\SHELL32.dll

{5EAED05E-8FE1-47F8-9705-49917CE1C163} C:\WINDOWS\mrhop.dll
{5F1AEEC0-6DE3-4C39-A05B-D07E3FAEC3EC} C:\WINDOWS\mrhop.dll
{799C50F5-C256-403C-B8AE-607F526FEC78} C:\WINDOWS\mrhop.dll
{8BA43E36-41DD-471F-A9A6-572FB5A33D07} C:\WINDOWS\mrhop.dll
{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB} C:\WINDOWS\mrhop.dll
{AF54283B-69E6-4A5D-96AD-F08701A22313} C:\WINDOWS\mrhop.dll
{D39B4C9B-FC38-47F4-A40E-A6002E103E62} C:\WINDOWS\mrhop.dll
{5EAED05E-8FE1-47F8-9705-49917CE1C163} C:\WINDOWS\mrhop.dll
{5F1AEEC0-6DE3-4C39-A05B-D07E3FAEC3EC} C:\WINDOWS\mrhop.dll
{799C50F5-C256-403C-B8AE-607F526FEC78} C:\WINDOWS\mrhop.dll
{8BA43E36-41DD-471F-A9A6-572FB5A33D07} C:\WINDOWS\mrhop.dll
{A4129BE3-6879-4B48-84B7-E7D0A9FE8ABB} C:\WINDOWS\mrhop.dll
{AF54283B-69E6-4A5D-96AD-F08701A22313} C:\WINDOWS\mrhop.dll
{D39B4C9B-FC38-47F4-A40E-A6002E103E62} C:\WINDOWS\mrhop.dll
*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM




Volgens softspy kunnen de mappen KONTIKI en COOLWEB verwijderd worden, maar deze laten zich niet verwijderen.
Na de vorige acties kunnen we wel weer via google zoeken maar als we startpagina.nl gebruiken komt er steeds een popup met een melding dat internet explorer beschadigd is en geeft deze een runtime error, waarna automatisch een debugger opstart met de vraag of er een poging gedaan moet worden om IE te repareren. Tot op heden dit maar geweigerd omdat ik dit nog niet eerder heb gezien of gehoord en vermoed dat dit een poging is van spyware om zich zo toch weer te installeren.

Tijdens het draaien van Findall is er ook een windows.txt aangemaakt. Moet je die ook nog hebben?

Alvast weer bedankt.

 

[EPO]

Ok buffy heeft me overgehaald, ik probeer het nog 1 keer hier:

Logfile of HijackThis v1.97.7
Scan saved at 12:48:40, on 11-5-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Dani\Software\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Deze searchpage is al vaker gepost maar ik heb al alles geprobeerd maar het gaat niet weg

Eerst Ad-aware (nieuwste) gedraait, die haalde wat weg.

Toen hijackthis en heb overal waar searchpage stond een vinkje gezet en daar laten fixxen.

En als laatst cwshredder, maar die vindt helemaal niks.

Maar het helpt allemaal geen kloot, steeds komt het weer terug . Wat moet ik doen!!!!! Staat er ergens een file op me pc die steeds weer iets in me reg zet? Me norton antivirus vind ook niks

 

[kidshome]

Hallo,
Dit keer een log van een andere computer, wil iemand hem nakijken.....alvast bedanktLogfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 13-5-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\nvc\bin\Zanda.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WService.EXE
C:\Program Files\WinPortrait\wpctrl.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\HP CD-Writer\DirectCD\DIRECTCD.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\internat.exe
C:\cdfoon\cdftray.exe
C:\Pvsw\Bin\W3dbsmgr.exe
C:\Program Files\WinPortrait\floater.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\yvonne\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = nov
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citydisc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.10.10:01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DirectCD] "C:\Program Files\HP CD-Writer\DirectCD\DIRECTCD.EXE"
O4 - HKLM\..\Run: [WDS_Update] L:\YVONNE\Update.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CDFoon System-Tray] C:\cdfoon\cdftray.exe
O4 - Startup: copyiwz.lnk = ?
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O4 - Global User Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4359/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pepeparts.nl
O17 - HKLM\System\CCS\Services\Tcpip\..\{279F4D05-30C1-4C1A-8224-99D31527632A}: NameServer = 192.168.2.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{92563E21-3DDB-4C9E-AAE9-2CD5F861F247}: NameServer = 192.168.2.231
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pepeparts.nl
O17 - HKLM\System\CS1\Services\Tcpip\..\{279F4D05-30C1-4C1A-8224-99D31527632A}: NameServer = 192.168.2.231
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pepeparts.nl
O17 - HKLM\System\CS2\Services\Tcpip\..\{279F4D05-30C1-4C1A-8224-99D31527632A}: NameServer = 192.168.2.231

 

[Pieter Arntz]

Re: opnieuw

Geplaatst door Marion60

O2 - BHO: (no name) - {CCA342DD-A42C-4304-9880-1DEEE7956206} - C:\WINDOWS\kbiur.dll

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [qsgda] C:\WINDOWS\wfndd.exe
O4 - HKLM\..\Run: [sehamjmgj] C:\WINDOWS\aqslou.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/serialzip.cab

Hoi Marion60,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\wfndd.exe
C:\WINDOWS\aqslou.exe

Een computer die je ook voor bankzaken gebruikt kan een wat beter beveiliging gebruiken:
http://home.planet.nl/~kleyn080/Spywareinfonl.html#voorkomen

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Drankbak


PC genaamd NOZZ


O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid


PC genaamd TIDNAB


O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe

O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid

O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB


PC genaamd WOLF


O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe

O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid

Hoi Drankbak,

Bovenstaande nog even (laten) fixen en dan lijkt het me klaar.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Olav


Ares kon duiden op een worm, ik kwam hem tegen via Google en bij Symantec, maar nu na verder lezen, lijkt hij minder schadelijk dan hij in eerste instantie leek. Laat hem voor nu maar even staan. Als je alsnog problemen ondervindt kunnen we hem later alsnog verwijderen :thumb:

Olav

Overigens ben je niks kwijt als je een O4 regel laat fixen. Het programma start alleen niet meer automatisch op meteen als Windows opstart.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door mverlaan

O2 - BHO: (no name) - {20E1F252-885F-424D-952A-174B443C240F} - C:\WINDOWS\fwbzwsmf.dll

O4 - HKLM\..\Run: [ongebuh] C:\WINDOWS\pbxxto.exe

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/serialzip.cab

Hoi mverlaan,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\pbxxto.exe

Dat zou flink moeten schelen.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door sephiroth

O4 - HKLM\..\Run: [Corel Print Office 2000] "C:\WINDOWS\COREL\StpLnch.exe" /setup="E:" /rspfile="C:\WINDOWS\Corel\Corel Print Office 2000\5\RECOVERY.CSW" /g+ /close /df="setup\projectnl.csw, setup\compnl.csw" /LANG=NL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe ***

Hoi sephiroth,

*** is overbodig

Die ander is denk ik degene die om de CD vraagt.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Jan van Asseldonk


Tijdens het draaien van Findall is er ook een windows.txt aangemaakt. Moet je die ook nog hebben?

Ja, helaas heb ik die wel nodig.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door kidshome


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = nov

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/

O4 - HKLM\..\Run: [WDS_Update] L:\YVONNE\Update.EXE

Hoi kidshome,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door EPO

Maar het helpt allemaal geen kloot, steeds komt het weer terug . Wat moet ik doen!!!!! Staat er ergens een file op me pc die steeds weer iets in me reg zet? Me norton antivirus vind ook niks

Kun en wil je Windows updaten of niet?

Groetjes,

Pieter

 

[Jan van Asseldonk]

Hoi Pieter,

hierbij de windows.txt die findall aanmaakte.
Vanwege de 'rare' bestandsinhoud heb ik het bestand toegevoegd i.p.v. de inhoud te plakken.

 

[TorukMakto]

Hoi Pieter.

Een log van mijn schoonbroer. Wat kan weg?

Gescant met Ad-aware.
Logfile of HijackThis v1.97.7
Scan saved at 13:38:08, on 14-5-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\ATOMBEEP\COALTHUNK.EXE
C:\WINDOWS\SYSTEM\SHDINIT.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiKey] atiptkad.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [matheggs] C:\PROGRA~1\AtomBeep\coalthunk.exe
O4 - HKLM\..\Run: [pF2h36R] SHDINIT.EXE
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38121.0884027778

 

[mverlaan]

Hoi Pieter,

De items zijn verwijderd en het loopt weer als een zonnetje.

Bedankt weer.

 

[Nemor]

Geplaatst door Pieter Arntz


Nee, dat is niet erg. FASTOOZE.dll was waarschijnlijk al door HijackThis verwijderd.

Groetjes,

Pieter

Dan wil ik je hartstikke bedanken voor je hulp:thumb: :thumb: :thumb: :thumb: :thumb: :thumb: :

 

[mack11]

gehijackt

Logfile of HijackThis v1.97.7
Scan saved at 16:59:35, on 14-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\FILEOB~1\windowsecond.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\DOCUME~1\mike\LOCALS~1\Temp\bwgo000090c6.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\mike\Mijn documenten\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: pJ,
pJ,
ˆ·,
ˆ·,
˜
,
˜
,
°v,
°v,
¨
,
¨
,
å,
å,
¸
,
¸
,
À
,
À
,
È
,
È
,
Ð
,
Ð
,
Ø
,
Ø
,
à
,
à
,
è
,
è
,
ð
,
ð
,
ø
,
ø
,
ˆ,
,
,
˜,
˜,
 ,
 ,
¨,
¨,
°,
°,
è,
è,
À,
À,
È,
È,
Ð,
Ð,
Ø,
Ø,
à,
à,
è,
è,
ð,
ð,
ø,
ø,

O1 - Hosts:
,
˜,
˜,
 ,
 ,
¨,
¨,
°,
°,
¸,
¸,
À,
À,
È,
È,
Ð,
Ð,
Ø,
Ø,
à,
à,
è,
è,
ð,
ð,
ø,
ø,

O1 - Hosts: pJ!
pJ!
xU!
xU!
˜
!
˜
!
˜V!
˜V!
0ì!
0ì!
°
!
°
!
¸
!
¸
!
À
!
À
!
È
!
È
!
Ð
!
Ð
!
Ø
!
Ø
!
à
!
à
!
è
!
è
!
ð
!
ð
!
ø
!
ø
!
ˆ!
!
!
˜!
˜!
 !
 !
¨!
¨!
°!
°!
¸!
¸!
À!
À!
È!
È!
Ð!
Ð!
Ø!
Ø!
à!
à!
è!
è!
ð!
ð!
ø!
ø!

O1 - Hosts: !
˜!
˜!
 !
 !
¨!
¨!
°!
°!
¸!
¸!
À!
À!
È!
È!
Ð!
Ð!
Ø!
Ø!
à!
à!
è!
è!
ð!
ð!
ø!
ø!

O1 - Hosts: pJ$
pJ$
8Œ$
øä$
˜
$
˜
$
hU$
hU$
Øÿ$
Øÿ$
°
$
°
$
¸
$
¸
$
À
$
À
$
@â$
ˆ$
$
$
˜$
˜$
 $
 $
¨$
¨$
°$
°$
¸$
¸$
À$
À$
È$
È$
Ð$
Ð$
Ø$
Ø$
à$
à$
è$
è$
ð$
ð$
ø$
ø$

O1 - Hosts: $
˜$
˜$
 $
 $
¨$
¨$
°$
°$
¸$
¸$
À$
À$
È$
È$
Ð$
Ð$
Ø$
Ø$
à$
à$
è$
è$
ð$
ð$
ø$
ø$

O1 - Hosts: pJ,
pJ,

,

,
˜
,
˜
,
ðN,
ðN,
¨
,
¨
,
°
,
°
,
¸
,
¸
,
å,
å,
À7,
À7,
Ð
,
Ð
,
Ø
,
Ø
,
èŒ,
èŒ,
è
,
è
,
ð
,
ð
,
ø
,
ø
,
ˆ,
,
,
˜,
˜,
 ,
 ,
¨,
¨,
°,
°,
¸,
¸,
À,
À,
È,
È,
Ð,
Ð,
Ø,
Ø,
à,
à,
è,
è,
ð,
ð,
ø,
ø,

O1 - Hosts: www.look2me1.com
O1 - Hosts: @
x

www.look2me2.com
O1 - Hosts: B
x

www.look2me3.com
O1 - Hosts: 8D
x

www.look2me4.com
O1 - Hosts: www.look2me5.com
O1 - Hosts: pJ
pJ




˜

˜

 

 

¨

¨

°

°

¸

¸

À

À

È

È

Ð

Ð

Ø

Ø

à

à

è

è

ð

ð

ø

ø

ˆ


˜
˜
 
 
¨
¨
°
°
¸
¸
À
À
È
È
Ð
Ð
Ø
Ø
à
à
è
è
ð
ð
ø
ø

O1 - Hosts: 
˜
˜
 
 
¨
¨
°
°
¸
¸
À
À
È
È
Ð
Ð
Ø
Ø
à
à
è
è
ð
ð
ø
ø

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: Planremotethat - {E9F8A2B0-47ED-D639-54CF-AE921008FBFC} - C:\PROGRA~1\chinmeal\Tons proc.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\nl\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [BORE LICENSE] C:\PROGRA~1\FILEOB~1\windowsecond.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Easy-PrintToolBox.lnk = C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
O4 - Global Startup: GStartup.lnk = C:\RECYCLER\NPROTECT\00310440.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Toevoegen aan Mobiele favorieten (HKLM)
O9 - Extra 'Tools' menuitem: Toevoegen aan Mobiele favorieten... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1E5592CB-8F5B-46F8-9EA6-65C01213808A} (InstaladorBetyByte Control) - http://www.cocacola.es/uploads/cab/instaladorbetybyte.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.97.139.7:1256/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab





pleace help mij.
ik word gek van die hijackers.

b.v.d. mack11

 

[G.I. Jane]

Logfile Hijack This

De volgende log op de computer van mijn oom en tante:

Logfile of HijackThis v1.97.7
Scan saved at 17:04:07, on 14.05.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\DJSNETCN.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Classic PhoneTools\CapFax.EXE
C:\Programme\Medion\PowerCinema\My_TV\Agent.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\t-online\BSW4\ISDN SpeedManager\Tomcat.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\DitExp.exe
C:\Programme\OpenOffice.org1.0.3\program\soffice.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\T-ONLINE\BSW4\ToDuCAlC.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Dokumente und Einstellungen\Robby\Eigene Dateien\Spyware logs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CapFax] C:\Programme\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Agent] C:\Programme\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Programme\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ISDN SpeedManager] "C:\t-online\BSW4\ISDN SpeedManager\Tomcat.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programme\Gemeinsame Dateien\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Programme\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/de/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9FE4C71-188A-4FE4-8DCB-02698C40176D}: NameServer = 217.237.150.97 194.25.2.129

Alvast weer bedankt!!!

G.I. Jane