Helpmij tegen spyware offensief (deel 5)

[m@rio]

Geplaatst door bekking
Hallo Pieter,

Wil je a.u.b. naar dit logfile kijken?
Ik heb gescanned met spybot S + D.
Wil je ook kijken naar onnodige startfiles?
Ik stuur je dit omdat ik niet meer het internet opkan.
Iets verandert de juiste pagina's in windows\system32\shdoclc,dll/dnserror.htm en geeft dan aan kan de server niet vinden.

Groeten Steef

Logfile of HijackThis v1.97.7
Scan saved at 19:38:24, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\System32\PRISMSTA.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\overige bestanden\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.breekpunt.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 5 Pro\FpLaunch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\nl\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Program Files\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.1631597222
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4360/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Pieter,

Volgens mij staat er ook nog iets in van netdot wat je niet aan hebt gegeven dat verwijderd mag worden (of ik moet het over het hoofd hebben gezien)

 

[bekking]

Geplaatst door Pieter Arntz


Hoi bekking,

Dit is de enige die er verder niet thuis hoort:

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

Wat je ook nog kunt proberen is een command prompt openen en dit commando

IPCONFIG /flushdns

gevolgd door ENTER geven.

Groetjes,

Pieter

Helaas Pieter ook dit helpt niet. Ik snap er alleen niets van dat dit bij alle internetpagina's gebeurt en GELUKKIG !!! alleen niet bij helpmij.nl
Dan moet er toch iets zijn wat de standaard instellingen verandert?

 

[bekking]

Geplaatst door m@rio


Pieter,

Volgens mij staat er ook nog iets in van netdot wat je niet aan hebt gegeven dat verwijderd mag worden (of ik moet het over het hoofd hebben gezien)

 

[Arretje]

Twee sites over NewDotNet
http://www.newdotnet.com/#remove
http://cexx.org/lspfix.htm
want je weet maar nooit

 

[Pieter Arntz]

Re: Beste Pieter

Geplaatst door arjan480
Pieter je bent een held,het opstarten gaat al veeel sneller,je zou een lintje moeten krijgen voor dit werk

Alleen 1 probleempje ik heb dus al die bestanden bij hijackthis removed maar ik weet niet hoe je in veilige modus opstart

Veilige modus voor XP:
Start > Uitvoeren > msconfig > op het boot.ini tabblad zet je een vinkje bij "/SAFEBOOT" en klikt op OK
Als je klaar bent in veilige modus volg je dezelfde weg om het vinkje weer weg te halen.

Volgende stap naar jouw opruiming.

Download LSPFix van http://www.cexx.org/lspfix.htm
Run het en kies "I know what I'm doing"
Doe dan alle (en alleen die) inetadpt.dll naar het "Remove" venster en klik op "Finish"

Download VX2Finder:
http://tools.zerosrealm.com/VX2Finder.exe

Run Vx2Finder, klik op de *click to find VX2.BetterInternet* knop. Klik dan op *make log*.
Post dat log samen met je nieuw HijackThis log.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Dutchbull
Het lukt mij niet om je het bestandje te sturen.

Heb je suggesties Pieter?

Wat is er moeilijk aan?

http://www.freeserve.com/help/beginnerguides/emailmadeeasy/emailattachfile.htm

Ik heb het echt nodig om je verder te kunnen helpen.

Groetjes,

Pieter

 

[bekking]

Geplaatst door Arretje
Twee sites over NewDotNet
http://www.newdotnet.com/#remove
http://cexx.org/lspfix.htm
want je weet maar nooit

Dank je maar het is de eerste keer via configuratie scherm en software verwijderen al gelukt om newdotnet te verwijderen.

 

[Pieter Arntz]

Geplaatst door Pieter Arntz


Hoi bekking,

Probeer eerst NewDotNet aka New.Net (Domains) te verwijderen in Configuratiescherm > Software.

Werkt dat niet vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op en probeer het nog eens.

Groetjes,

Pieter

Had ik al eerder gedaan m@rio.

Dat was toch wel gelukt bekking?
Ik heb je daar verder niet over gehoord.

Groetjes,

Pieter

 

[m@rio]

Had ik er toch overheen gelezen

 

[Pieter Arntz]

Geplaatst door bekking


Dank je maar het is de eerste keer via configuratie scherm en software verwijderen al gelukt om newdotnet te verwijderen.

Als je via een IP adres ergens naar toe surft lukt dat wel?
Bijvoorbeeld deze link http://66.102.11.104/
Als je daar op klikt kom je dan op Google?

Groetjes,

Pieter

 

[bekking]

Geplaatst door Pieter Arntz


Had ik al eerder gedaan m@rio.

Dat was toch wel gelukt bekking?
Ik heb je daar verder niet over gehoord.

Groetjes,

Pieter

Ja dat was al gelijk gelukt via configuratiescherm en software verwijderen.

 

[Pieter Arntz]

Geplaatst door bertvane
Pieter,

het is zo'n ranzige zoekpagina, een variant van CoolWebSearch volgens een kenner.

komen ook steeds irritante pop-ups van een Spyware-killer, ondanks Pop-Up-Blocker

Bert

Hoi bertvane en DutchBull,

Probeer dit programma eens:
http://www.rokop-security.de/main/download.php?op=getit&lid=59
Sluit alles zoveel mogelijk af en klik op *Desinfektion Starten*
Je computer moet dan binnen enkele seconden herstarten, anders werkt hij niet en hoor ik het wel.
Als het wel werkt opent je computer weer met dat programma. Klik op dezelfde knop (maar met een andere naam) om weer verder door te starten.

Groetjes,

Pieter

 

[bekking]

Geplaatst door Pieter Arntz


Als je via een IP adres ergens naar toe surft lukt dat wel?
Bijvoorbeeld deze link http://66.102.11.104/
Als je daar op klikt kom je dan op Google?

Groetjes,

Pieter

Ja dan kom ik op google, Maar niet alle links lukken, de eerste link bij arretje over new.dot.net kon ik wel op komen maar de tweede deed het ook niet.

 

[slofje]

Hallo Pieter,

Hier een logfile van de vriend van mijn dochter. Hij krijgt steeds een andere startpagina dan die is ingesteld. Een van de files die hij niet weg krijgt eindigt op sp.html. Nou ja, bekijk het zelf maar eens. Jij hebt er meer verstand van .
Hij heeft gesand met Spybot en adaware 6.
Wil je er eens een blik op werpen? Dank je wel.

Hieronder vind je eerst de logfile van Ad Aware, daaronder de logfile van Hijackthis.


Lavasoft Ad-aware Personal Build 6.181
Logbestand gemaakt op:woensdag 23 juni 2004 17:21:03
Created with Ad-aware Personal, free for private use.
Gebruikt referentiebestand01R324 22.06.2004
______________________________________________________

Ad-aware Settings
=========================
Geactiveerd : Intensieve datascan activeren
Geactiveerd : Veilige modus (altijd vragen om bevestiging)
Geactiveerd : Scan actieve processen
Geactiveerd : Scan register
Geactiveerd : Diepe registerscan
Geactiveerd : IE Favorieten scannen
Geactiveerd : Scan in ZIP-archieven
Geactiveerd : Scan my Hosts file


23-6-04 17:21:03 - Scan started. (Custom mode)

Lijst van geladen processen:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293886371
Threads : 4
Priority : High
FileSize : 464 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1991-1999
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel-kerncomponent
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Besturingssysteem Microsoft(R) Windows(R)
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294948371
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bits VxD-berichtserver
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R)
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:3 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294950459
Threads : 4
Priority : Normal
FileSize : 44 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294727059
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:5 [mosearch.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\
ProcessID : 4294745859
Threads : 9
Priority : Normal
FileSize : 68 KB
FileVersion : 10.109.3705.2
ProductVersion : 10.109.3705.2
Copyright : Copyright (C) Microsoft Corp. 1998. All rights
reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office Search Service
InternalName : mosearch.exe
OriginalFilename : mosearch.exe
ProductName : PKM
Created on : 19-1-01 13:28:20
Last accessed : 22-6-04 22:00:00
Last modified : 19-1-01 13:28:20

#:6 [mdm.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT
SHARED\VS7DEBUG\
ProcessID : 4294799259
Threads : 4
Priority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23-2-01 8:07:30
Last accessed : 22-6-04 22:00:00
Last modified : 23-2-01 8:07:30

#:7 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294803419
Threads : 27
Priority : Normal
FileSize : 313 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 20-2-03 15:40:42
Last accessed : 22-6-04 22:00:00
Last modified : 6-12-02 9:28:42

#:8 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294776839
Threads : 3
Priority : Normal
FileSize : 110 KB
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Taakplanner Engine
InternalName : Taakplanner
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 3-8-01 15:40:58
Last accessed : 22-6-04 22:00:00
Last modified : 3-8-01 15:40:58

#:9 [ghoststartservice.exe]
FilePath : C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\
ProcessID : 4294786279
Threads : 1
Priority : Normal
FileSize : 196 KB
FileVersion : 2003.775
ProductVersion : 2003.775
Copyright : Copyright (C) 1998-2002 Symantec Corp. All rights
reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Ghost Start
InternalName : GhostStartService
OriginalFilename : GhostStartService.exe
ProductName : Norton Ghost Start Service
Created on : 14-8-02 13:21:16
Last accessed : 22-6-04 22:00:00
Last modified : 14-8-02 13:21:16

#:10 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293066043
Threads : 4
Priority : Normal
FileSize : 79 KB
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
Copyright : Copyright (C) Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:11 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293008311
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4293073911
Threads : 5
Priority : Normal
FileSize : 176 KB
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
Copyright : Copyright (C) Microsoft Corp. 1981-1997
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 5-5-99 20:22:00
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:13 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4292922247
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:14 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292883195
Threads : 3
Priority : Normal
FileSize : 32 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : Toepassing Systeemwerkbalk
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Besturingssysteem Microsoft(R) Windows(R)
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:15 [em_exec.exe]
FilePath : C:\MOUSE\SYSTEM\
ProcessID : 4292937543
Threads : 2
Priority : Normal
FileSize : 35 KB
FileVersion : 8.21.537
ProductVersion : 8.21
Copyright : Copyright Logitech Inc 1987-1998.
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 24-2-00 9:06:19
Last accessed : 22-6-04 22:00:00
Last modified : 28-8-98 6:21:00

#:16 [hpztsb08.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292870995
Threads : 2
Priority : Normal
FileSize : 168 KB
FileVersion : 2,223,0,0
ProductVersion : 2,223,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2003
CompanyName : HP
ProductName : HP DeskJet
Created on : 10-5-04 8:03:26
Last accessed : 22-6-04 22:00:00
Last modified : 11-3-03 8:08:52

#:17 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4292960191
Threads : 4
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 4-5-04 22:20:43
Last accessed : 22-6-04 22:00:00
Last modified : 3-5-00 15:23:10

#:18 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4292936183
Threads : 26
Priority : Normal
FileSize : 56 KB
FileVersion : 1.08.01
ProductVersion : 1.08.01
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 13-8-03 9:52:46
Last accessed : 22-6-04 22:00:00
Last modified : 15-7-03 12:56:58

#:19 [hpwuschd.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE
UPDATE\
ProcessID : 4293274547
Threads : 2
Priority : Normal
FileSize : 48 KB
Created on : 17-12-02 9:40:22
Last accessed : 22-6-04 22:00:00
Last modified : 17-12-02 9:40:22

#:20 [hpotdd01.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL
IMAGING\BIN\
ProcessID : 4293312895
Threads : 4
Priority : Normal
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 2-12-02 18:56:10
Last accessed : 22-6-04 22:00:00
Last modified : 2-12-02 18:56:10

#:21 [ghoststarttrayapp.exe]
FilePath : C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\
ProcessID : 4292994015
Threads : 2
Priority : Normal
FileSize : 92 KB
FileVersion : 2003.775
ProductVersion : 2003.775
Copyright : Copyright (C) 1998-2002 Symantec Corp. All rights
reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Ghost Start
InternalName : GhostStartTrayApp
OriginalFilename : GhostStartTrayApp.exe
ProductName : Norton Ghost Start
Created on : 14-8-02 13:21:28
Last accessed : 22-6-04 22:00:00
Last modified : 14-8-02 13:21:28

#:22 [ctfmon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293321635
Threads : 2
Priority : Normal
FileSize : 8 KB
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
Copyright : Copyright (C) Microsoft Corporation. 1981-2001
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
OriginalFilename : CICLOAD.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 19-2-01 19:09:54
Last accessed : 22-6-04 22:00:00
Last modified : 19-2-01 19:09:54

#:23 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293184431
Threads : 4
Priority : Normal
FileSize : 16 KB
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
Copyright : Copyright (C) Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 1-1-01
Last accessed : 22-6-04 22:00:00
Last modified : 5-5-99 20:22:00

#:24 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4293376435
Threads : 3
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 21-6-04 18:26:35
Last accessed : 22-6-04 22:00:00
Last modified : 12-7-03 19:00:20

Resultaat van bestandsscan:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Nieuwe objecten: 0
Totaal tot nu toe geïdentificeerde objecten: 0


Start scan register
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Resultaat van registerscan:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Nieuwe objecten: 0
Totaal tot nu toe geïdentificeerde objecten: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Start Page
Data : "about:blank"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Start Page
Data : "about:blank"

Mogelijk browser-Hacker poging : .Default\Software\Microsoft\Internet
Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Waarde : Start Page
Data : "about:blank"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Search Page
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Search Bar
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Waarde : SearchAssistant
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Search Page
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Waarde : Search Bar
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : Software\Microsoft\Internet
Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Waarde : SearchAssistant
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : .Default\Software\Microsoft\Internet
Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Waarde : Search Page
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : .Default\Software\Microsoft\Internet
Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Waarde : Search Bar
Data : "file://c:\windows\temp\sp.html"

Mogelijk browser-Hacker poging : .Default\Software\Microsoft\Internet
Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object herkend!
Typ : Reg. Bestanden
Data : "file://c:\windows\temp\sp.html"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet
Explorer\Search
Waarde : SearchAssistant
Data : "file://c:\windows\temp\sp.html"


Resultaat diepe registerscan:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Nieuwe objecten: 12
Totaal tot nu toe geïdentificeerde objecten: 12


Dieptescan van bestanden (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Resultaat van bestandsscan voor: C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Nieuwe objecten: 0
Totaal tot nu toe geïdentificeerde objecten: 12


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Nieuwe objecten: 0
Totaal tot nu toe geïdentificeerde objecten: 12


17:33:34 Systeemscan gereed

Samenvatting van het onderzoek
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Totale tijd systeemscan:00:12:29:790
Objecten gescand:67005
Objecten geïdentificeerd:12
Objecten genegeerd:0
Nieuwe objecten:12

---------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 17:37:06, on 24-6-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTTRAYAPP.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ALCATECH\BPM-STUDIO PROFI\BPM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0cj.net/cat
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://0cj.net/srchasst.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4B494A1-B8BB-11D8-BD0D-0010B0F10A11} - C:\WINDOWS\SYSTEM\HGAIIDC.DLL
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] c:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - http://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[arjan480]

Beste pieter

Hier heb je mn vx2finder log:

Files Found---


Guardian Key--- is called:

User Agent String---



En hier mn Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 23:50:35, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ntsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\taskinf.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\crer32.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\COMPUTER CLEANING\HijackThis\HijackThis.exe
C:\PROGRA~1\Netropa\InetKb\ikbupd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cilvk.dll/sp.html#44272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cilvk.dll/index.html#44272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cilvk.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cilvk.dll/sp.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cilvk.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cilvk.dll/sp.html#44272
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EAADD167-D492-D64A-6508-6BCC2A6B4D56} - C:\WINDOWS\atluo.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [task] C:\WINDOWS\System32\taskinf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [crer32.exe] C:\WINDOWS\system32\crer32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\system32\ntqf32.exe
O4 - HKLM\..\RunOnce: [appdu32.exe] C:\WINDOWS\system32\appdu32.exe
O4 - HKLM\..\RunOnce: [apiil32.exe] C:\WINDOWS\apiil32.exe
O4 - HKLM\..\RunOnce: [apifw32.exe] C:\WINDOWS\apifw32.exe
O4 - HKLM\..\RunOnce: [sdkky.exe] C:\WINDOWS\sdkky.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\crpv32.exe
O4 - HKLM\..\RunOnce: [apidx32.exe] C:\WINDOWS\system32\apidx32.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2009259259
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{680223C7-293D-4567-98A3-D3181A965FE7}: NameServer = 195.121.1.34 195.121.1.66

 

[oossie]

Pieter

Temp map leeggemaakt, alle cookies verwijderd, in de windows verkenner %temp% ook weer leeggemmakt.
Naam temp map gewijzigd naar temp.old, en een nieuwe tempmap aangemaakt.

PC lijkt weer wat sneller maar mijn verbinding met inet is niet voorruit te branden:evil:

Heb je nog suggesties ?

Groeten Oossie

 

[jan rap]

thanks

Hoi Pieter, heb alles uitgevoerd en het ziet er goed uit, BEDANKT JAN RAP

 

[H@ns]

Pieter, zou je dit logje door kunnen kijken? Van een kennisje

Logfile of HijackThis v1.97.7
Scan saved at 22:49:44, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DVDMFC~1\eq trust deaf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Image\Monitor.exe
C:\WINDOWS\DitExp.exe
C:\Documents and Settings\Eny\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCMService] C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37664.0440393519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[v.d.Meer]

hoi pieter,

alles is ok,maar als ik norton laat scannen dan heeft het 54 dingen gedetecteerd. en ik weet niet wat ik daar mee aan moet. dus ik dacht dat het ook hiermee te maken heeft maar blijkbaar niet. in ieder geval bedankt. groetjes yvon

 

[fedorn]

Pieter bedankt, alweer een machine cleaned.:thumb: