Helpmij tegen spyware offensief (deel 5)

[Systemizer X100]

Geplaatst door Pieter Arntz


Aha, ze zijn met zijn tweeën.
Dan zul je snel moeten zijn. Deze verdenk ik er sterk van de andere te zijn.

C:\WINDOWS\System32\intdrv.exe

Kijk maar even of het je lukt om de beide processen stil te krijgen. Zo niet hoor ik het wel. Dan gaan we wat drastischer ingrijpen.

Groetjes,

Pieter

Drastischer? Oei dat klinkt erg, je bedoelt toch niet FORMATEREN?!

 

[Pieter Arntz]

Geplaatst door Systemizer X100


Drastischer? Oei dat klinkt erg, je bedoelt toch niet FORMATEREN?!

Zo drastisch nog niet. Niet gelukt dus?
Heb je een Windows CD?

Groetjes,

Pieter

 

[[2k]]

Mijn internet valt er constant uit, en heb ik het idee dat quicktime altijd op de achtergrond wordt opgestartd omdat het altijd terug keert in msconfig. Spyware is met de programma's niet gevonden, misschien dat er op deze manier nog wat ongewenste dingen tussen zitten?

Logfile of HijackThis v1.97.7
Scan saved at 16:57:53, on 5-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\phpdev\Apache\Apache.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\phpdev\Apache\Apache.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Kazaa Lite Resurrection\kazaalite.kpp
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xbw.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab

 

[Systemizer X100]

Geplaatst door Pieter Arntz


Zo drastisch nog niet. Niet gelukt dus?
Heb je een Windows CD?

Groetjes,

Pieter

Nee hij ligt bij mijn vader. Maar kun je het toch even uitleggen?

 

[patrick76]

logfile

Hans,

Vergeef me, ik ben wat ongeduldig.

Groeten patrick


Logfile of HijackThis v1.97.7
Scan saved at 16:50:37, on 5-6-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\iexpIore.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\iexpIore.exe
C:\Program Files\eMule\emule.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\patrick meerkerk\Mijn documenten\Mijn ontvangen bestanden\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6F6BBAEF-29CB-4389-B651-F4618FA7F37F} - C:\WINDOWS\System32\eikmila.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WinProfile] iexpIore.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\RunServices: [WinProfile] iexpIore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C624EFAC-F20A-4576-B831-814EB4830E32}: NameServer = 62.58.50.5 62.58.50.6

 

[H@ns]

Hans,

Vergeef me, ik ben wat ongeduldig.

Groeten patrick

Maakt niet uit, het log staat er :thumb:

Kan het begrijpen want helemaal schoon is je log niet maar ja als Pieter even is langsgeweest is ie wel schoon

 

[Systemizer X100]

Kan iemand me uitleggen waarom lrdsvr.exe wordt verdacht? Wat is het voor een bestand? En wat is intdrv.exe dan voor bestand, als het ook wordt verdacht.

 

[Big Andrew]

My computer en netwerkomgeving werken niet meer als ik op de icoontjes klik. misschien vinden jullie iets in mijn hijack logfile? Alvast bedankt voor je reactie. Andere tips zijn ook welkom! Ik voeg ook mijn startup list bij.

Logfile of HijackThis v1.97.7
Scan saved at 0:00:08, on 2-6-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deeppurple.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Het Net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: Core Library - {F281FFC7-6C63-4bf9-83F2-AB7A6157B109} - C:\WINDOWS\SYSTEM\KDP3313.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.4226273148
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://www.advnt01.com/dialer/olanda_ver3.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 127.0.0.1,195.121.1.34,195.121.1.66

de startuplist:
StartupList report, 1-6-04, 23:42:43
StartupList version: 1.52
Started from : C:\PROGRAM FILES\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programma's\Opstarten]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfldrs.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{44BBA844-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CChat25.inf,PerUserAdd

[{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fpxpress.inf,PerUserstub

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub

[Theme_Windows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 C:\WINDOWS\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 1/6/2004, 23:28:6)

[rename]
C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 1/6/2004, 22:50:58)

[Rename]
NUL=c:\windows\temp\autoupdate0\setup.inf
NUL=c:\windows\system\auto_update_uninstall.log
NUL=c:\windows\system\auto_update_uninstall.exe
NUL=c:\windows\coder\_1-kli-1-0-.exe
NUL=c:\windows\downloaded program files\ieloader.dll
NUL=c:\windows\gatoruninstaller_cme_u.log
NUL=c:\windows\gatorpdpsetup.log
NUL=c:\windows\gatoruninstaller_cme.log
NUL=c:\windows\ndnuninstall5_40.exe
NUL=c:\windows\newdotnet3_36.dll
NUL=c:\windows\profiles\andreej\cookies\andreej@adserver.roadside[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webads[6].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ehg-bestwestern.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@citi.bridgetrack[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@phg.hitbox[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fastclick[5].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hitbox[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adrevolver[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bluestreak[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tradedoubler[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@0[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@stat.onestat[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@overture[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bravenet[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[13].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@2o7[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@a.as-us.falkag[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@realmedia[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tmpad[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fortunecity[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tripod[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@trafficmp[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@servedby.advertising[5].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@x10[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@advertising[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tribalfusion[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@questionmarket[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@c.porngraph[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@web4.realtracker[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[11].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@kliks[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@domainsponsor[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@revenue[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@landing.domainsponsor[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@edge.ru4[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@commission-junction[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webpdp.gator[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tracking.thunderdownloads[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@zedo[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@qksrv[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@0[5].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@276[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@mediaplex[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www1.paypopup[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www6.paypopup[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adserver.aim4media[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@klo[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@as1.falkag[5].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@z1.adserver[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@valueclick[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@maxserving[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@netshelter.adtrix[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@gator[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@atdmt[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@doubleclick[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@beweb[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@metriweb[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@questionmarket[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@promo.match[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@beweb[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@as-us.falkag[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ehg-dig.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@stat.onestat[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tribalfusion[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@t10522.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@j28524.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@j4540.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@j26129.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@kliks[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[6].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@servedby.advertising[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@realmedia[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@valueclick[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@netshelter.adtrix[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@c11859.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@d27502.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ayb.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@server.iad.liveperson[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@j32379.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bluestreak[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@zedo[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[7].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ehg-ubisoft.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fastclick[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adrevolver[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@y2837.bins.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[8].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tpl1.realtracker[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bfast[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@klo[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@weborama[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@0[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tradedoubler[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webads[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@advertising[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@centrport[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fortunecity[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adserver.aim4media[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@mysearchnow[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ads.tripod.lycos[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@overture[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hitbox[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adtech[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@revenue[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@gator[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@commission-junction[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@doubleclick[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www.lop[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@rub[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@as1.falkag[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@mediaplex[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@apropos.adbureau[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[9].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@search.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hg1.hitbox[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bilbo.counted[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@metriweb[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@2o7[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@qksrv[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@maxserving[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@z1.adserver[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@srch.lop[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ehg-info.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@atdmt[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www1.paypopup[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@qksrv[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@phg.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www.stopzilla[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hitbox[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@realmedia[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@valueclick[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[5].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@klo[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@advertising[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@servedby.advertising[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fastclick[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webads[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adserv.internetfuel[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@276[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@0[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hg1.hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@hitbox[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@valueclick[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@statse.webtrendslive[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@mediaplex[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@metriweb[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@servedby.advertising[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@advertising[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www.qksrv[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@zedo[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@adtech[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@mediaplex[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@doubleclick[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www.maximumcash[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@vad.mainentrypoint[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@fastclick[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@as1.falkag[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bluestreak[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[4].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webads[3].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@www.angelfire[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ads.tripod.lycos[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@talkcity.realtracker[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@ad-logics[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@euniverseads[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@stat.onestat[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@tpl1.realtracker[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@kliks[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@as1.falkag[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@webads[2].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@cgi-bin[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@bravenet[1].txt
NUL=c:\windows\profiles\andreej\cookies\anyuser@webads[2].txt
NUL=c:\windows\profiles\andreej\cookies\anyuser@cgi-bin[2].txt
NUL=c:\windows\profiles\andreej\cookies\anyuser@cmsnav[2].txt
NUL=c:\windows\profiles\andreej\cookies\anyuser@cgi-bin[1].txt
NUL=c:\windows\profiles\andreej\cookies\andreej@doubleclick[1].txt
NUL=c:\windows\profiles\andreej\cookies\andré@cgi-bin[2].txt
NUL=c:\windows\profiles\andreej\cookies\andré@cgi-bin[1].txt
NUL=c:\windows\cookies\anyuser@webads[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[2].txt
NUL=c:\windows\cookies\anyuser@cmsnav[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[1].txt
NUL=c:\windows\cookies\andré@cgi-bin[2].txt
NUL=c:\windows\cookies\andré@cgi-bin[1].txt
NUL=c:\windows\temp\cd_clint.dll
NUL=c:\windows\temp\rem3313.exe
NUL=c:\windows\temp\autoupdate0\auto_update_install.exe
NUL=c:\windows\inf\nsupd9x.inf
NUL=c:\windows\system\ru.exe
NUL=c:\windows\system\bdeinstallprogress3.dll
NUL=c:\windows\system\bdeinstallman3.exe
NUL=c:\windows\system\bdeinsta3.dll
NUL=c:\windows\system\bdeinsta25.dll
NUL=c:\windows\ru.exe
NUL=c:\windows\downloaded program files\ieloader.dll
NUL=c:\windows\downloaded program files\dialxs.ocx
NUL=c:\windows\downloaded program files\conflict.1\dialxs.ocx
NUL=c:\program files\ford coal\curbidol.dll

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb us,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------

C:\CONFIG.SYS listing:

device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=031,850,C:\WINDOWS\COMMAND\country.sys

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

*File not found*

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registereditor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
myBar BHO - (no file) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC}
Core Library - C:\WINDOWS\SYSTEM\KDP3313.DLL - {F281FFC7-6C63-4bf9-83F2-AB7A6157B109}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.4226273148

[Downloader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\DWNLDR.DLL
CODEBASE = https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

[ChainCast VMR Client Proxy]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CCPM_0237.DLL
CODEBASE = http://64.124.45.181/downloads/ccpm_0237.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINESWEEPER.DLL
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

[Checkers Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSGRCHKR.DLL
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SOLITAIRESHOWDOWN.DLL
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

[{841A9192-5690-11D4-A258-0040954A01BE}]
CODEBASE = http://dialxs.nl/install/dialxs.ocx

[VacPro.olanda_ver3]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OLANDA_VER3.OCX
CODEBASE = http://www.advnt01.com/dialer/olanda_ver3.CAB

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
LWBMOUSE: chimouse.vxd
LWBHMVXD: lwbhmvxd.vxd
NDISWAN: ndiswan.vxd
VSERVER: (no file)
COMBUFF: *COMBUFF
SYMTDI: SYMTDI.VXD
WANATM: (no file)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 35.494 bytes
Report generated in 3,397 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Pieter Arntz]

Geplaatst door [2k]

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ***

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe ***

O9 - Extra button: Sidesearch (HKLM)

Hoi [2k],

*** zijn geen spyware maar wel onnodig en kunnen een invloed hebben op je internetverbinding.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Systemizer X100


Nee hij ligt bij mijn vader. Maar kun je het toch even uitleggen?

Kijk hier maar even:
http://support.microsoft.com/default.aspx?scid=kb;NL;307654

Die moet je dan gebruiken om die twee bestanden te verwijderen.

Groetjes,

Pieter

 

[Pieter Arntz]

Re: logfile

Geplaatst door patrick76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\eikmila.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>
O1 - Hosts: <YOUR IP> <HOST TO CHANGE>

O2 - BHO: (no name) - {6F6BBAEF-29CB-4389-B651-F4618FA7F37F} - C:\WINDOWS\System32\eikmila.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [WinProfile] iexpIore.exe

Hoi patrick 76,

Update Windows en IE en lees:
http://www.helpmij.nl/forum/showthread.php?threadid=162413

Bovendien heb je nog iets van een trojan of virus.

Kijken we later nog wel even naar.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Big Andrew
My computer en netwerkomgeving werken niet meer als ik op de icoontjes klik. misschien vinden jullie iets in mijn hijack logfile? Alvast bedankt voor je reactie. Andere tips zijn ook welkom!

Is goed hoor. PLaats het log maar.

Pieter

 

[Pieter Arntz]

Geplaatst door Systemizer X100
Kan iemand me uitleggen waarom lrdsvr.exe wordt verdacht? Wat is het voor een bestand? En wat is intdrv.exe dan voor bestand, als het ook wordt verdacht.

Wel eens van Google gehoord?

Groetjes,

Pieter

 

[H@ns]

Pieter, kun je even naar dit log kijken:

Logfile of HijackThis v1.97.7
Scan saved at 21:40:09, on 4-6-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\INSTALL FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {CF70EA41-AA8F-1F77-AC6A-2F5823DE8382} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\PC Booster\pcbooster.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKCU\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/22/028/nl.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx


van een kennis. Onnodige startups mogen ook vermeld worden

 

[Systemizer X100]

Geplaatst door Pieter Arntz


Kijk hier maar even:
http://support.microsoft.com/default.aspx?scid=kb;NL;307654

Die moet je dan gebruiken om die twee bestanden te verwijderen.

Groetjes,

Pieter

Okay, het gaat hier dus om het herstelconsole van WinXP. Ik ben niet zo bekend hiermee maar als ik het zo even bekijk denk ik dat ik dit moet doen.

Eerst naar de system32 directory van Windows en dan de 2 bestanden verwijderen. Lijken op DOS commando's.
Maar als ik ze verwijder van de harde schijf worden ze nog aangesproken door Windows, en zal dat zeker een paar errors geven omdat die twee programma's telkens worden gestart. Moet ik ze dan eerst fixen via HijackThis?

Wel eens van Google gehoord?

Groetjes,

Pieter

oh ja

 

[Pieter Arntz]

Geplaatst door H@NsiePanzzzer

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll

O2 - BHO: (no name) - {CF70EA41-AA8F-1F77-AC6A-2F5823DE8382} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/22/028/nl.exe

Hoi H@NsiePanzzzer,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\csrss.exe
C:\PROGRAM FILES\TV MEDIA <= de hele map
C:\WINDOWS\ALCHEM.exe

Groetjes,

Pieter

 

[H@ns]

:thumb: Top! bedankt! Misschien komt er zo nog 1 van een andere kennis, even vragen of hij het al klaar heeft :thumb:

 

[Pieter Arntz]

Geplaatst door Systemizer X100

Eerst naar de system32 directory van Windows en dan de 2 bestanden verwijderen. Lijken op DOS commando's.
Maar als ik ze verwijder van de harde schijf worden ze nog aangesproken door Windows, en zal dat zeker een paar errors geven omdat die twee programma's telkens worden gestart. Moet ik ze dan eerst fixen via HijackThis?

Het eerst fixen met HijackThis zal weinig effect hebben zoals je al gemerkt hebt. Je zal moeten uitvinden hoe intdrv.exe opgestart wordt, aangezien die niet in HijackThis voorkomt.

Zoals je wellicht al eens gelezen hebt ziet HijackThis niet alles. Je zou de bestanden ook in veilige modus kunnen proberen te verwijderen, maar de opstartlocaties die HijackThis niet ziet kunnen ook in veilige modus geldig zijn. Als het lang duurt voor je aan de CD kunt komen is dat een poging waard. Evenals The Killbox: http://download.broadbandmedic.com/

Groetjes,

Pieter

 

[amber2911]

adsl start vanzelf

Hoi,
Hier maar weer eens een log van mij...
We hebben sinds kort een netwerkje.
Nou merkte ik net dat als ik mijn comp opstart, mijn adsl ook automatisch opgestart word. Iedere keer dat ik anuleer, gaat hij weer overnieuw. Heb nu de comp boven uitgezet en weer geprobeerd, nu lijkt het weg. Maar alles gaat wel heel traag.
heb alle scans gedaan die ik heb en ken..mix gevonden
Logfile of HijackThis v1.97.7
Scan saved at 19:14:12, on 5-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Wanadoo ADSL verbinding.lnk = C:\Program Files\Thomson\SpeedTouch USB\stdialup.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.nl/
O15 - Trusted Zone: http://chat.helpmij.nl
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4FDD0CE2-5B46-4945-BD7D-E9D89B15E538} (ReVampMain Control) - http://kitcentral.wanadoo.nl/download/install/win32/nl/revamp/revamp.dll
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://virusscan.zdnet.nl/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.debitel.nl/shockwaveinstaller/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab

hoor het van je
bedankt
Amber

 

[Systemizer X100]

Geplaatst door Pieter Arntz


Het eerst fixen met HijackThis zal weinig effect hebben zoals je al gemerkt hebt. Je zal moeten uitvinden hoe intdrv.exe opgestart wordt, aangezien die niet in HijackThis voorkomt.

Zoals je wellicht al eens gelezen hebt ziet HijackThis niet alles. Je zou de bestanden ook in veilige modus kunnen proberen te verwijderen, maar de opstartlocaties die HijackThis niet ziet kunnen ook in veilige modus geldig zijn. Als het lang duurt voor je aan de CD kunt komen is dat een poging waard. Evenals The Killbox: http://download.broadbandmedic.com/

Groetjes,

Pieter

Hmmm, maar als ik de bestanden verwijder met The Killbox of in veilige modus, wordt het dan niet meer aangesproken? Krijg ik geen errormessage zoals: Kan pad niet vinden.
En moet ik The Killbox gebruiken in veilige modus of kan ik dat nu ook doen?