Helpmij tegen spyware offensief (deel 5)

[Pieter Arntz]

Geplaatst door ikbenjamin


Ik heb in het register dat hele CLSID-registerbestand weggehaald. Wat moet ik met deze register-bestanden? Of was het niet de bedoeling dat ik dat hele bestand weg zou halen? Ook heb ik dat in dll-fix gedaan en heb ik een scan laten doen. Maar volgens mij is nog niet alles weg. Nogmaals bedankt.

Welke CLSID registerbestand heb je weggehaald en waar heb je gelezen dat je dat moest doen.


Als het degene is waar ik bang voor ben, maak dan backups van de belangrijke bestanden voor je opnieuw opstart, want ik voel een formatje aankomen.

Groetjes,

Pieter

 

[Pieter Arntz]

Re: geplaats door adekens

Geplaatst door adekens
ik wou even zeker weten of ik nu wel weer clean ben

Ik zie geen narigheid meer. :thumb:

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door froks

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ieyww.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ieyww.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ieyww.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ieyww.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ieyww.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ieyww.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {2067DEDB-34F7-9CC4-7353-3E1E927B32A3} - C:\WINDOWS\system32\d3ns32.dll

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [msff.exe] C:\WINDOWS\system32\msff.exe
t
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

O4 - HKLM\..\RunOnce: [crfw.exe] C:\WINDOWS\crfw.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31175f4a1859d0b35605/netzip/RdxIE601.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Hoi froks,

Klik Start > Uitvoeren > services.msc > OK
In het scherm met services zoek je naar Network Security Service Rechtsklik en Stop deze service.
Zet hem dan ook op Uitgeschakeld.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\crfw.exe
C:\WINDOWS\system32\msff.exe
C:\WINDOWS\secure.html
C:\WINDOWS\ieyww.dll
C:\WINDOWS\ieyww.dat
C:\WINDOWS\System32\wnscpsv.exe

Groetjes,

Pieter

 

[Pieter Arntz]

Re: yo mario help mij pleace

Geplaatst door mack11

O16 - DPF: {1E5592CB-8F5B-46F8-9EA6-65C01213808A} (InstaladorBetyByte Control) - http://www.cocacola.es/uploads/cab/instaladorbetybyte.cab

Hoi mack11,

Schoon. :thumb:
Bovenstaande is ietwat vreemd. Als het je niets zegt zou ik die voor de zekerheid fixen.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door gr@ce

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

O2 - BHO: (no name) - {2bf0b7a0-0e53-11d8-a7fe-00024426383b} - C:\WINDOWS\APPLICATION DATA\UCHTAFSN.DLL

O2 - BHO: (no name) - {4FC49646-2F83-4A44-87D2-60F7E227E352} - C:\WINDOWS\SYSTEM\HAD.DLL

O3 - Toolbar: cqqstbrsrst - {2bf0b7a1-0e53-11d8-a7fe-00024426383b} - C:\WINDOWS\APPLICATION DATA\UCHTAFSN.DLL

Hoi gr@ce,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\TEMP\sp.html

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door ilias


R3 - Default URLSearchHook is missing
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [Sys] C:\Documents and Settings\Ilias\Bureaublad\exereplicator\NDNuninstall4_80.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab

O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/all/websetup.cab

Hoi ilias,

Kijk of je NewDotNet aka New.Net (Domains) kunt verwijderen in Configuratiescherm > Software
Ook als dat niet lukt kun je gewoon met de rest doorgaan.

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op en ga naar www.housecall.nl voor een online virusscan

Groetjes,

Pieter

 

[Pieter Arntz]

Re: textbestand uit adware 6.158

Geplaatst door gjwiggers

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bnafrm.t.muxa.cc/h.php?aid=240 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bnafrm.t.muxa.cc/h.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bnafrm.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://bnafrm.t.muxa.cc/h.php?aid=240 (obfuscated)

Hoi gjwiggers,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: CWShredder
Gebruik de Fix knop en volg de aanwijzingen van het programma op.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Chopper
:evil:

Helaas....ik was te vroeg. (zie eerder bericht)

Nu een half uur surfen toch weer diezelfde startpagina en pop-ups.....Stond er misschien nog meer bij wat eraf kon?

Nogmaals bedankt!

Chopper

Hoi Chopper,

Wil je even een nieuwe maken en posten?

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Henkie02

O4 - HKCU\..\Run: [hostsyscrypt] C:\WINDOWS\System32\dataspool.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19f8be4b5de966b18205/netzip/RdxIE601.cab

Hoi Henkie02,

De onderste kun je laten fixen.
Dataspool.exe is mij onbekend, maar dat betekend niet automatisch dat het niet nuttig is. Misschien weet jij wel wat het is?

Groetjes,

Pieter

 

[ikbenjamin]

Geplaatst door Pieter Arntz


Welke CLSID registerbestand heb je weggehaald en waar heb je gelezen dat je dat moest doen.


Als het degene is waar ik bang voor ben, maak dan backups van de belangrijke bestanden voor je opnieuw opstart, want ik voel een formatje aankomen.

Groetjes,

Pieter

Er is niks aan de hand verder... Ik heb al een paar keer opnieuw gestart en heb geen problemen gehad. Ik denk dat ik het verkeerd had begrepen... Je had namelijk een deel van dat output.txt van mij gequote:

Geplaatst door ikbenjamin


\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

--------------------------------------------------------------------------------


En toen dacht ik dat ik dat clsid maar weg moest halen... Mijn fout dus ... Maar ik heb nog geen problemen en alles was al gebackupped. Maar ik heb dat dll bestand wel gefixed en adaware laten draaien, maar die vindt alleen nog maar tracking cookies en geen andere dingen meer. Ik denk dus dat het is opgelost. In ieder geval toch bedankt

Grtz. Ikbenjamin

 

[Docwell]

rare google

Goedenmorgen

Elke door Google opgestarte zoekactie geeft onderstaande drie sites als default antwoorden
Hoe verwijder ik dit ?
(n.b. Google vindt ook de "normale"links, maar altijd ook deze 3)
(n.b. 2 : Adaware e.d. vinden niets : als de de Hijack logs vergelijk tussen de bewuste computer en een andere, waarop dit niet gebeurt, kan ik ook niets vinden
Vr Groeten
Jos Luneman


Find HELPMIJ on Crawler.com with Free WebSearch Tools
Click here to download WebSearch Tools and search 15 engines for HELPMIJ at once now with FREE
Pop-up Blocker, Yellow/White Pages, Free Games, Maps, Skins, Cursors and more!
http://download.websearch.com - 53k

You can find HELPMIJ right now at Info.com.
Info.com s new site gives you some of the best of the web, searching 14 of the world s top search
engines with just 1 click. Click here now to find top results for HELPMIJ
http://msxml.us.info.com/ - 43k

With Info.com search 14 engines for HELPMIJ
Info.com is a powerful meta search engine that displays fast, relevant results from 14 search engines.
Click link to show results for HELPMIJ
http://msxml.us.info.com - 43k

en hier is het Hi Jack log :
Logfile of HijackThis v1.97.7
Scan saved at 11:43:14, on 17-6-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\System32\aodrhd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.zeelandnet.nl:800
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.cyberlink.com.tw/registr...7723517E355963&Company=AMD&FName=AMD&Lang=Enu
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [tkczjjxpsie] C:\WINDOWS\System32\aodrhd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Controller.LNK = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.0249421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4356/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FC9C7D52-C99A-494A-AA79-4A25098F659C} (***Load Control) - http://www.casinoelegance.com/dload/***load.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

 

[Pieter Arntz]

Geplaatst door ikbenjamin

En toen dacht ik dat ik dat clsid maar weg moest halen... Mijn fout dus ... Maar ik heb nog geen problemen en alles was al gebackupped. Maar ik heb dat dll bestand wel gefixed en adaware laten draaien, maar die vindt alleen nog maar tracking cookies en geen andere dingen meer. Ik denk dus dat het is opgelost. In ieder geval toch bedankt

Poe. Je liet me schrikken.

Groetjes,

Pieter

 

[Pieter Arntz]

Re: rare google

Geplaatst door Docwell
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O4 - HKLM\..\Run: [tkczjjxpsie] C:\WINDOWS\System32\aodrhd.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {FC9C7D52-C99A-494A-AA79-4A25098F659C} (***Load Control) - http://www.casinoelegance.com/dload/***load.cab

Hoi Docwell,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: CWShredder
Gebruik de Fix knop en volg de aanwijzingen van het programma op.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\System32\aodrhd.exe

Update Windows en IE zsm.

Groetjes,

Pieter

 

[Mariska34]

Wie wil zijn licht laten schijnen over mijn logfile? alvast bedankt!

gfile of HijackThis v1.97.3
Scan saved at 12:01:48, on 17-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\ATI-CPanel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Norman\NVC\BIN\ZLH.EXE
C:\NORMAN\nvc\BIN\NYMSE.EXE
C:\NORMAN\nvc\BIN\NIP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Familie\Mijn documenten\Els spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AdShield (HKCU)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://efreeman.demon.nl:81/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDC7C39A-C9F3-46E9-B5B8-5ECA138D246F}: NameServer = 195.121.1.34 195.121.1.66

 

[guesswho]

Hallo Heren deskundigen.

Zouden jullie hier eens naar willen kijken ivm een steeds veranderende startpagina en en vermoedelijke dailer.
Beiden blijven steeds terug komen ondanks herhaalde scans met adware.

BVD

GuessWho

Logfile of HijackThis v1.97.7
Scan saved at 11:26:25, on 17-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\sdkmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\system32\mfceg.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\wtsit.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\DialerDetect\dd.exe
C:\Program Files\TurboLaunch\Tlaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\lavasoft\ad-aware 6\ad-aware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
F:\Server\FTP_Server\Download\Warez\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gwvxy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwvxy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwvxy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gwvxy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gwvxy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gwvxy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2F02A829-9E20-9D7B-E7E2-A516C5C5BB91} - C:\WINDOWS\sdkoc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mfceg.exe] C:\WINDOWS\system32\mfceg.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtsit.exe
O4 - HKLM\..\RunOnce: [ievo32.exe] C:\WINDOWS\system32\ievo32.exe
O4 - Startup: Dialer Detect.lnk = C:\Program Files\DialerDetect\dd.exe
O4 - Startup: TurboLaunch.lnk = C:\Program Files\TurboLaunch\Tlaunch.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Download Using &BitSpirit - C:\program files\bitspirit\bsurl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38128.5458564815
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

 

[Pieter Arntz]

Geplaatst door Mariska34


R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - file://C:\install.cab

Hoi Mariska34,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\System32\toolbar.dll

Vindt dan C:\WINDOWS\system32\drivers\etc\hosts en open het in kladblok.

Kun je de inhoud eens posten?

Als je niet meer in het toolbar menu komt, moet je ook nog even het volgende doen:

Kopieer het dikgedrukte naar kladblok en sla het op als toolbar.reg

REGEDIT4

[-HKEY_CURRENT_USER\Software\iSearch]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

Dubbelklik er dan op en bevestig dat je het aan het register wilt toevoegen.
Bewaar het bestand want je hebt het voor elke gebruiker nodig.

Groetjes,

Pieter

 

[riksuperboy88]

ik heb last van een startpagina die niet meer te veranderen valt. Ik hoop dat je me kan helpen.



Logfile of HijackThis v1.97.7
Scan saved at 12:05:04, on 17-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {432737DC-4910-46F4-9B35-4F50EC7986A4} - C:\WINDOWS\mrhop.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.173912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{44149AEC-69DF-4A29-A4CD-34894661142B}: NameServer = 194.109.6.66,194.109.9.99
O17 - HKLM\System\CS1\Services\Tcpip\..\{44149AEC-69DF-4A29-A4CD-34894661142B}: NameServer = 194.109.6.66,194.109.9.99
O17 - HKLM\System\CS2\Services\Tcpip\..\{44149AEC-69DF-4A29-A4CD-34894661142B}: NameServer = 194.109.6.66,194.109.9.99

 

[Pieter Arntz]

Geplaatst door riksuperboy88

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Rik\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {432737DC-4910-46F4-9B35-4F50EC7986A4} - C:\WINDOWS\mrhop.dll

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://www.x0.nl/install2/dialxs.ocx

Hoi riksuperboy88,

Download en installeer : http://www.diamondcs.com.au/index.php?page=apm
In het bovengedeelte selecteer je explorer.exe
In het onderste gedeelte rechtsklik je op mrhop.dll
Selecteer Unload DLL en klik OK op de prompts die je krijgt.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: CWShredder
Gebruik de Fix knop en volg de aanwijzingen van het programma op.

Start je copmputer opnieuw op en voor je IE opent:
gebruik je Schijfopruiming om al je Tijdelijke mappen leeg te maken.

Groetjes,

Pieter

 

[epse]

1 van een vriend van me:

Logfile of HijackThis v1.97.7
Scan saved at 10:51:08, on 17-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Trust\450LR Mouse Wireless Optical\Amoumain.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\xlfbuvd.exe
C:\PROGRA~1\16drv\Global remote.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Games\Mijn Docs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchweb2.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchweb2.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C472BF33-703E-7E29-AE82-0CD10BAFF9EC} - C:\PROGRA~1\MATH32~1\part mix.dll
O2 - BHO: (no name) - {CD9CB366-4121-4698-ABD4-A2B5668C21B6} - C:\WINDOWS\dbsiychvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\nl\msntb.dll
O3 - Toolbar: flaw corn vga - {89F85052-7DEA-2ACE-D976-D0A23841F6D8} - C:\PROGRA~1\MATH32~1\part mix.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WatchDogExe] C:\Program Files\Voetbal International\WatchDog.Exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [wwnwnmcf] C:\WINDOWS\xlfbuvd.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [warn more] C:\PROGRA~1\16drv\Global remote.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1014_EN_XP.cab
O16 - DPF: {11111111-1111-1111-1111-113304981909} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38000.312337963
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1012_EN_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/serialzip.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

 

[Pieter Arntz]

Geplaatst door guesswho

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gwvxy.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwvxy.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gwvxy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gwvxy.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gwvxy.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gwvxy.dll/sp.html#96676

O2 - BHO: (no name) - {2F02A829-9E20-9D7B-E7E2-A516C5C5BB91} - C:\WINDOWS\sdkoc.dll

O4 - HKLM\..\Run: [mfceg.exe] C:\WINDOWS\system32\mfceg.exe

O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtsit.exe
O4 - HKLM\..\RunOnce: [ievo32.exe] C:\WINDOWS\system32\ievo32.exe

O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN_XP.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Hoi guesswho,

Klik Start > Uitvoeren > services.msc > OK
In het scherm met services zoek je naar Network Security Service.
Rechtsklik erop en Stop deze service.
Zet hem dan ook op Uitgeschakeld onder Eigenschappen > Tabblad Algemeen > Opstarttype.

In Taakbeheer beeindig je deze twee processen:
C:\WINDOWS\system32\sdkmt.exe
C:\WINDOWS\system32\mfceg.exe

Daarna start je opnieuw op in veilige modus en verwijder:
C:\WINDOWS\system32\sdkmt.exe
C:\WINDOWS\system32\mfceg.exe
C:\WINDOWS\system32\ievo32.exe
C:\WINDOWS\sdkoc.dat
C:\WINDOWS\gwvxy.dll

Groetjes,

Pieter