Helpmij tegen spyware offensief (deel 5)

[Olav]

Geplaatst door pluizerd
Hallo...hier weer een mysearch die ik er echt niet uitkrijg. Komt deze via MSN 6 (nog wat)?

Hier mijn lijst:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchweb2.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = searchweb2.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html

O2 - BHO: OpinionBar IE monitor - {6607C683-AE7C-11D4-ACD7-0050DAC291A2} - C:\PROGRA~1\OPINIO~1\MyIEMonitor.dll
O2 - BHO: (no name) - {AC322C87-364B-DA52-5A80-4BA51635B21F} - C:\PROGRA~1\OPTION~1\copycake.dll

O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx

Hoop dat ik er nu eindelijk een keer vanaf kan komen

Gr. pluizje

Hallo pluizje,
in je Hijack This Log kom ik iets tegen wat ik niet ken en ook niets zinnigs over kan vinden:
O4 - HKLM\..\Run: [five software] C:\PROGRA~1\GRAMST~1\barbcloseaxis.exe
Weet jij wat dit is? Als je het niet kent, mag je hem ook aanvinken in Hijack This,

Download CWShredder
Maar start hem nog niet op, dat doen we als we klaar zijn met Hijack This.
Ga nu offline, trek desnoods de kabel of telefoonlijn uit je computer.

In Hijack This, vink alle bovenstaande items (zie quote) aan.
Sluit alle schermen, behalve Hijack This zelf.
Klik vervolgens op "Fix Checked"

Open nu CWShredder en klik op de knop "Fix"
Volg de aanwijzingen nauwkeurig op.

Herstart de PC op in veilige modus
Zorg dat in de map opties van Windows Verkenner (Menu Extra --> Mapopties --> Tabblad "Weergave") "Verborgen mappen en bestanden weergeven" aan staat.

Verwijder via Windows verkenner de volgende zaken (mits nog aanwezig):

C:/Program%20Files/Onlinedirect/<-- hele map
C:\PROGRAM FILES\OPINIONBAR\<-- hele map
C:\PROGRAM FILES\OPTION~1\<-- hele map
C:\WINDOWS\System32\sed.exe <-- bestand

en als je barbcloseaxis.exe ook hebt aangevinkt in Hijack This:
C:\PROGRA~1\GRAMST~1\ <-- hele map

Herstart de PC weer normaal op.
Stop de kabel of telefoonlijn weer in de computer en scan met Hijack This of alles weer normaal is.

Download en installeer daarna Spyware blaster en Spyware Guard. Beide hier te downloaden

Succes,
Olav

 

[Olav]

Geplaatst door steveson
Ik heb alles gedaan zoals Olav zei maar dat .dll bestand dat ik in veilige modus moet verwijderen is nergens te vinden. Ben verlost van enkele progs die me al lang stoorden en niet te verwijderen waren, dankjewel.

Greetz,

steveson

Hoi Steveson,
het is mogelijk dat de dll al verwijderd was door Hijack this, maar we laten vaak nog even controleren of ze echt weg zijn door ze handmatig nog eens te verwijderen.
Sommige dll's hebben de neiging om toch nog terug te komen, vandaar ook in veilige modus, dan is de kans minder groot dat ze op kunnen starten. In veilige modus worden namelijk alleen de hoogstnoodzakelijke dingen op gestart.

Olav

 

[Lerosa]

Hoi Pieter..

Zou je even naar mijn Log willen kijken??
Alvast bedankt
Mijn systeem draait momenteel erg traag, weet niet of het met dit log te maken kan hebben.

Logfile of HijackThis v1.97.7
Scan saved at 7:23:28, on 11-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Realplayer\RealPlay.exe
F:\MSN\MsgPlus.exe
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
G:\Soulseek\slsk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
G:\DVD Shrink\DVD Shrink 3.1.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dienaar\Mijn documenten\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helpmij.nl/forum/search.php?s=&action=showresults&getnew=true&searchid=631476
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.helpmij.nl/forum/search.php?s=&action=showresults&getnew=true&searchid=591546
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - F:\DAP\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Fortis Secure Layer Config] cseinst.exe -o-h
O4 - HKLM\..\Run: [LaunchList] G:\LaunchList.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] G:\Realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "F:\MSN\MsgPlus.exe"
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - G:\INCRED~2\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - F:\DAP\DAP\dapextie.htm
O8 - Extra context menu item: &Email It - G:\QuickSend\quicksend.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Onderzoek (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npvmidi.dll
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1014_EN_XP.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37872.9299652778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab

 

[Pieter Arntz]

Geplaatst door Lerosa

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com

O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll

O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1014.dll,InstantAccess

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1014_EN_XP.cab

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

Hoi Lerosa,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis an klik op Fix checked.

Start daarna opnieuw op en verwijder (desnoods in veilige modus):
C:\WINDOWS\mslagent <= de hele map
p2esocks_1014.dll <= hoogstwaarschijnlijk in C:\WINDOWS\system32

Groetjes,

Pieter

 

[Lerosa]

Bedankt Pieter, het is weer gelukt!!:thumb:

 

[VolgensBartjes]

fout na virusscanner

ik had eerder een bericht geplaatst dat ik de gratis virus scanner had gebruikt die jullie eerder in dit bericht aanraden, nadat ik had gekozen voor repareren kon ik mijn internet explorrer niet meer opstarten, nu ben ik er achter dat ik alleen niet direct op internet explorrer (onderaan in snel menu, start>programma's en op bureaublad) kan klikken, ik kan nu wel via verkenner. als ik op een link in een mail klik gaat hij ook mis, ik krijg de volgende melding als ik internet opstart: (met blauwe achtergrond)
___________________________________________
Fatale uitzondering 00 op 016F:BFF7668D de huidige toepassing word afgesloten
*druk een toets om de toepassing af te sluiten
*druk nogmaals op CTRL+ALT+DEL om de computer opnieuw te starten. niet opgeslagen gegevens gaan verloren
druk op een toets om door te gaan
____________________________________________

kunnen jullie hier iets mee, of moet ik toch mijn log maar ff sturen?
bart

 

[jaikke]

Hijack log file

Wie kan mij verlossen van niet goed opstarten I.E naar startpagina.??? Hierbij mijn log file na hijack gefixt restant.??

Logfile of HijackThis v1.97.7
Scan saved at 20:42:01, on 6-6-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\That Manager\KINDCOMPVIEW.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Norton AntiVirus\SAVScan.exe
G:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Kees en Annemarie\Local Settings\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BE87D9C7-7A7F-7781-A265-0367B1E8B3F0} - C:\PROGRA~1\DASHBO~1\Startmeta.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ooze acid - {E3BA248F-14D9-A4BD-7ACB-0F8979FD2584} - C:\PROGRA~1\DASHBO~1\Startmeta.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Extra Tool] C:\PROGRA~1\That Manager\KINDCOMPVIEW.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1013.dll,InstantAccess
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Startup: AOM(2).lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (chelloInstall.Install) - http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37604.0395833333
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (LaunchApp.clsDefault) - http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1013_EN_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4357/mcfscan.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/dlaccell.CAB

 

[Peppie2]

Geplaatst door Olav


Kan je een nieuwe Hijack This log plaatsen? Die about: blank kom ik niet tegen in je oude log.

Download voor de zekerheid even CWShredder en start die op. Klik op "Fix" en volg de aanwijzingen nauwkeurig op.
Herstart daarna de PC.
Laat daarna pas Hijack This scannen en plaats die log hier.

Succes,
Olav

Ik heb CW shredder gebruikt en daarna opnieuw opgestart. Hijackthis geeft de volgende LOG file.
Groeten Pepijn

Logfile of HijackThis v1.97.7
Scan saved at 11:55:05, on 11-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Morgenpep\Local Settings\Temp\Tijdelijke map 3 voor hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Registration-PCTV.lnk = C:\Program Files\Pinnacle\PCTV Stereo\ERegister\RegTool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{184EEF5E-7892-41A3-B3DC-DA4D1C7AAAD9}: NameServer = 192.168.0.1

 

[dbijman]

Hierbij mijn log, ik heb gebruik gemaakt van Ad-aware. Ik heb geen enkel idee hoe het werkt, hier komt het. (ik kreeg door dat ik dit moest doen, omdat ik elke keer een svchost melding krijg):

avasoft Ad-aware Personal Build 6.181
Logfile created on :vrijdag 11 juni 2004 11:41:38
Created with Ad-aware Personal, free for private use.
Using reference-file :1R200 12.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


11-6-2004 11:41:38 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 11-6-2004 6:48:29
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:48:45
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:48:47
BasePriority : Normal
FileSize : 86 KB
FileVersion : 5.00.2195.2780
ProductVersion : 5.00.2195.2780
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services en controllertoepassingen
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:48:47
BasePriority : Normal
FileSize : 36 KB
FileVersion : 5.00.2195.4436
ProductVersion : 5.00.2195.4436
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : DLL-bestand voorLSA Executable en Server (exportversie)
InternalName : lsasrv.dll en lsass.exe
OriginalFilename : lsasrv.dll en lsass.exe
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 24-10-2001 20:06:00

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:48:50
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:6 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:48:53
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 24-10-2001 20:06:00

#:7 [cpqdfwag.exe]
FilePath : C:\WINNT\Cpqdiag\
ThreadCreationTime : 11-6-2004 6:48:56
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2.13
ProductVersion : 2.13
Copyright : Copyright (C) 1999, 2001
CompanyName : Compaq Computer Corporation
FileDescription : Compaq Diagnostics Application
InternalName : CPQDFWAG
OriginalFilename : CPQDFWAG.EXE
ProductName : Compaq Remote Diagnostics Enabling Agent
Created on : 23-5-2002 7:48:22
Last accessed : 11-6-2004 9:41:38
Last modified : 16-3-2001 9:01:56

#:8 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:48:56
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:9 [inorpc.exe]
FilePath : C:\Program Files\CA\eTrust\InoculateIT\
ThreadCreationTime : 11-6-2004 6:48:57
BasePriority : Normal
FileSize : 133 KB
FileVersion : 6.0.96.0
ProductVersion : 6.0.96.0
Copyright : Copyright (c) 1992-2001 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoRpc.exe
OriginalFilename : InoRpc.exe
ProductName : InoculateIT
Created on : 23-5-2002 10:52:14
Last accessed : 11-6-2004 9:41:38
Last modified : 19-7-2001 17:20:14

#:10 [inort.exe]
FilePath : C:\Program Files\CA\eTrust\InoculateIT\
ThreadCreationTime : 11-6-2004 6:48:58
BasePriority : Normal
FileSize : 181 KB
FileVersion : 6.0.96.0
ProductVersion : 6.0.96.0
Copyright : Copyright (c) 1992-2001 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoRT.dll
OriginalFilename : InoRT.dll
ProductName : InoculateIT
Created on : 23-5-2002 10:52:05
Last accessed : 11-6-2004 9:41:38
Last modified : 19-7-2001 17:20:16

#:11 [inotask.exe]
FilePath : C:\Program Files\CA\eTrust\InoculateIT\
ThreadCreationTime : 11-6-2004 6:48:58
BasePriority : Normal
FileSize : 213 KB
FileVersion : 6.0.96.0
ProductVersion : 6.0.96.0
Copyright : Copyright (c) 1992-2001 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoTask.exe
OriginalFilename : InoTask.exe
ProductName : InoculateIT
Created on : 23-5-2002 10:52:04
Last accessed : 11-6-2004 9:41:38
Last modified : 19-7-2001 17:20:30

#:12 [logwatnt.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 11-6-2004 6:48:59
BasePriority : Normal
FileSize : 49 KB
Created on : 7-6-2000 21:15:24
Last accessed : 11-6-2004 9:41:38
Last modified : 7-6-2000 21:15:24

#:13 [nmssvc.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:49:00
BasePriority : Normal
FileSize : 1012 KB
FileVersion : 1.64d.0.0
ProductVersion : 1.01.0.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : NMS Module
InternalName : NMS Module
ProductName : NMS
Created on : 23-5-2002 7:48:04
Last accessed : 11-6-2004 9:41:38
Last modified : 16-4-2001 13:09:06

#:14 [nvsvc32.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:49:00
BasePriority : Normal
FileSize : 64 KB
FileVersion : 6.13.10.4072
ProductVersion : 6.13.10.4072
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 40.72
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 40.72
Created on : 3-12-2002 9:18:14
Last accessed : 11-6-2004 9:41:38
Last modified : 27-9-2002 14:38:00

#:15 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:49:01
BasePriority : Normal
FileSize : 65 KB
FileVersion : 5.00.2195.2104
ProductVersion : 5.00.2195.2104
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:16 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 11-6-2004 6:49:01
BasePriority : Normal
FileSize : 115 KB
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Taakplanner Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:17 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 11-6-2004 6:49:03
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0029
ProductVersion : 1.50.1085.0029
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:38
Last modified : 31-5-2001 18:00:00

#:18 [clntrust.exe]
FilePath : z:\
ThreadCreationTime : 11-6-2004 6:51:52
BasePriority : Normal
FileSize : 36 KB
Created on : 15-5-2002 12:56:50
Last accessed : 11-6-2004 12:56:50
Last modified : 6-9-2000 15:45:36

#:19 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 11-6-2004 6:51:53
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3315.2846
ProductVersion : 5.00.3315.2846
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:38:29
Last modified : 31-5-2001 18:00:00

#:20 [smtray.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ThreadCreationTime : 11-6-2004 6:51:56
BasePriority : Normal
FileSize : 68 KB
FileVersion : 1, 0, 203, 0
ProductVersion : 1, 0, 203, 0
Copyright : Copyright
CompanyName : Analog Devices
FileDescription : SoundMAX System Tray
InternalName : SMTray
OriginalFilename : SMTray.exe
ProductName : SoundMAX Integrated Digital Audio
Created on : 23-5-2002 7:42:29
Last accessed : 11-6-2004 9:41:38
Last modified : 8-8-2001 12:39:10

#:21 [cpqek.exe]
FilePath : C:\Program Files\Compaq\Compaq EAB Software\
ThreadCreationTime : 11-6-2004 6:51:56
BasePriority : Normal
FileSize : 64 KB
FileVersion : 2, 1, 4, 1
ProductVersion : 2, 1, 4, 1
Copyright : Copyright (C) 2001
CompanyName : Compaq Computer Corporation
FileDescription : Compaq EAB Software
InternalName : Cpqek
OriginalFilename : cpqek.exe
ProductName : Cpqek Application
Created on : 23-5-2002 7:47:17
Last accessed : 11-6-2004 9:41:38
Last modified : 9-7-2001 10:37:54

#:22 [promon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:51:56
BasePriority : Normal
FileSize : 30 KB
FileVersion : 4.08
ProductVersion : 4.02
Copyright : Copyright (C) 1998-2001 Intel Corporation. All Rights Reserved.
CompanyName : Intel Corporation
FileDescription : Intel(R) PROSet Tray Icon
InternalName : Intel(R) PROMonitor
OriginalFilename : PROMon.exe
ProductName : Intel(R) PROMonitor
Created on : 23-5-2002 7:48:05
Last accessed : 11-6-2004 9:41:38
Last modified : 5-7-2001 9:32:38

#:23 [dpmw32.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:51:57
BasePriority : Normal
FileSize : 28 KB
Created on : 23-5-2002 7:53:14
Last accessed : 11-6-2004 9:41:39
Last modified : 21-1-2000 0:47:08

#:24 [nwtray.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:51:57
BasePriority : Normal
FileSize : 28 KB
FileVersion : v4.83
ProductVersion : v4.83
Copyright : Copyright
CompanyName : Novell, Inc.
FileDescription : Novell System Tray Icon
OriginalFilename : NWTRAY.EXE
ProductName : Novell Client for Windows
Created on : 23-5-2002 7:53:14
Last accessed : 11-6-2004 9:41:39
Last modified : 18-12-2001 11:24:56

#:25 [realmon.exe]
FilePath : C:\Program Files\CA\eTrust\InoculateIT\
ThreadCreationTime : 11-6-2004 6:51:57
BasePriority : Normal
FileSize : 365 KB
FileVersion : 6.0.96.0
ProductVersion : 6.0.96.0
Copyright : Copyright (c) 1992-2001 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : Realmon.exe
OriginalFilename : Realmon.exe
ProductName : InoculateIT
Created on : 23-5-2002 10:52:05
Last accessed : 11-6-2004 8:54:20
Last modified : 19-7-2001 17:21:20

#:26 [createcd50.exe]
FilePath : C:\Program Files\Common Files\Adaptec Shared\CreateCD\
ThreadCreationTime : 11-6-2004 6:51:57
BasePriority : Normal
FileSize : 112 KB
FileVersion : 5.1 (79)
ProductVersion : 5.1 (79)
Copyright : Copyright (c) 1999-2001 Roxio, Inc.
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator
Created on : 24-10-2001 9:22:28
Last accessed : 11-6-2004 9:41:39
Last modified : 24-10-2001 9:22:28

#:27 [directcd.exe]
FilePath : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 11-6-2004 6:51:58
BasePriority : Normal
FileSize : 640 KB
FileVersion : 5.10 (133)
ProductVersion : 5.10 (133)
Copyright : Copyright
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 24-10-2001 10:42:10
Last accessed : 11-6-2004 9:41:39
Last modified : 24-10-2001 10:42:10

#:28 [internat.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 11-6-2004 6:51:58
BasePriority : Normal
FileSize : 20 KB
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
Copyright : Copyright (C) Microsoft Corp. 1994-1999
CompanyName : Microsoft Corporation
FileDescription : Toepassing voor toetsenbordtaalindicator
InternalName : INTERNAT
OriginalFilename : INTERNAT.EXE
ProductName : Besturingssysteem Microsoft(R) Windows (R) 2000
Created on : 31-5-2001 18:00:00
Last accessed : 11-6-2004 9:41:39
Last modified : 31-5-2001 18:00:00

#:29 [notify.exe]
FilePath : C:\Novell\GroupWise\
ThreadCreationTime : 11-6-2004 6:51:59
BasePriority : Normal
FileSize : 176 KB
FileVersion : 6.0.1
ProductVersion : 6.0.1
Copyright : Copyright
CompanyName : Novell, Inc.
FileDescription : GroupWise Notify
InternalName : Notify
OriginalFilename : NOTIFY.EXE
ProductName : Notify
Created on : 23-5-2002 10:35:04
Last accessed : 11-6-2004 9:41:39
Last modified : 25-10-2001 8:05:08

#:30 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 11-6-2004 6:51:59
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.76.046
ProductVersion : 9.76.046
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 20-4-2004 8:51:41
Last accessed : 11-6-2004 9:41:39
Last modified : 19-3-2003 7:50:00

#:31 [olfsnt40.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1043\
ThreadCreationTime : 11-6-2004 6:52:01
BasePriority : Normal
FileSize : 44 KB
FileVersion : 9.0.98.0105
ProductVersion : 9.0.98.0105
Copyright : Copyright (C) Symantec Corp. 1990-1998
CompanyName : Microsoft Corporation
FileDescription : Symantec Fax Starter Edition Port Launcher
InternalName : OLFSNT40.DLL
OriginalFilename : OLFSNT40.DLL
ProductName : Symantec Fax Starter Edition Printer Driver
Created on : 23-5-1999 23:18:20
Last accessed : 11-6-2004 9:41:39
Last modified : 23-5-1999 23:18:20

#:32 [scaner32.exe]
FilePath : C:\WINNT\TWAIN_32\Trust\9600\
ThreadCreationTime : 11-6-2004 6:52:02
BasePriority : Normal
FileSize : 60 KB
Created on : 5-9-2003 8:58:42
Last accessed : 11-6-2004 9:41:39
Last modified : 5-5-1998 8:26:58

#:33 [fsscrctl.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 11-6-2004 6:52:02
BasePriority : Normal
FileSize : 243 KB
FileVersion : 2, 1, 0, 46
ProductVersion : 2, 1, 0, 46
Copyright : Copyright
CompanyName : Stardust Software
FileDescription : Screen Saver Control applet
InternalName : FSScrCtl
OriginalFilename : FSSCRCTL.EXE
ProductName : Stardust Screen Saver Toolkit 2.1
Created on : 21-6-2002 10:11:47
Last accessed : 11-6-2004 9:41:39
Last modified : 21-6-2002 10:11:47

#:34 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 11-6-2004 9:41:05
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 11-6-2004 9:40:19
Last accessed : 11-6-2004 9:40:32
Last modified : 12-7-2003 20:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : administrator@as1.falkag[2].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 5-12-2003 13:02:19
Last accessed : 11-6-2004 9:42:19
Last modified : 5-12-2003 13:02:19



Tracking Cookie Object recognized!
Type : File
Data : administrator@doubleclick[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 20-11-2003 11:25:51
Last accessed : 11-6-2004 9:42:19
Last modified : 20-11-2003 11:25:59



Tracking Cookie Object recognized!
Type : File
Data : administrator@linksynergy[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 2-6-2004 8:14:01
Last accessed : 11-6-2004 9:42:19
Last modified : 2-6-2004 8:14:01



Tracking Cookie Object recognized!
Type : File
Data : administrator@mediaplex[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 20-11-2003 11:25:52
Last accessed : 11-6-2004 9:42:19
Last modified : 20-11-2003 11:25:52



Tracking Cookie Object recognized!
Type : File
Data : administrator@qksrv[1].txt
Object : C:\Documents and Settings\Administrator\Cookies\

Created on : 2-6-2004 8:14:07
Last accessed : 11-6-2004 9:42:19
Last modified : 2-6-2004 8:14:07


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 8


11:42:31 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:00:52:938
Objects scanned :30279
Objects identified :8
Objects ignored :0
New objects :8

 

[Bamekipa]

Last van een extra balk in explorer; nadat iemand op een site was geweest voor spelletjes.
Startpagina kan ik wel veranderen maar .....!

Ik heb gescaned met spybot S & D en het volgende hijackthis log gemaakt.
Mbv spybot S&D niets gevonden!

Kan iemand mij ook de "overbodige"bestanden noemen.

Bij voorbaat mijn dank!

gr Paul

 

[Bamekipa]

Sorry hiervolgt mijn hijackthisfile!


Logfile of HijackThis v1.92.0
Scan saved at 13:00:32, on 11-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.acer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O4 - Global Startup: POPUPENG.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.acer.com
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.5254976852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.picturestrip.net/picturestrip/_ps_ocx/xupload/xupload.ocx
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

 

[Pieter Arntz]

Re: Hijack log file

Geplaatst door jaikke

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

O2 - BHO: (no name) - {BE87D9C7-7A7F-7781-A265-0367B1E8B3F0} - C:\PROGRA~1\DASHBO~1\Startmeta.dll

O3 - Toolbar: ooze acid - {E3BA248F-14D9-A4BD-7ACB-0F8979FD2584} - C:\PROGRA~1\DASHBO~1\Startmeta.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Extra Tool] C:\PROGRA~1\That Manager\KINDCOMPVIEW.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1013.dll,InstantAccess

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab

O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1013_EN_XP.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/dlaccell.CAB

Hoi jaikke,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op en verwijder in veilige modus:
C:\PROGRAM FILES\That Manager <= de hele map
p2esocks_1014.dll <= hoogstwaarschijnlijk in C:\WINDOWS\system32

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door dbijman
Hierbij mijn log, ik heb gebruik gemaakt van Ad-aware. Ik heb geen enkel idee hoe het werkt, hier komt het. (ik kreeg door dat ik dit moest doen, omdat ik elke keer een svchost melding krijg):

Hallo dbijman,

Lees het eerste bericht nog eens goed door. De dingen die AdAware vondt kun je trouwens negeren. Doe eerst maar updaten en probeer het dan nog eens.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door Bamekipa
Sorry hiervolgt mijn hijackthisfile!


Logfile of HijackThis v1.92.0
Scan saved at 13:00:32, on 11-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Volgens mij moet je nog ergens een nieuwere versie van HijackThis hebben. Of download een nieuwe. (versie 1.97.7)

Groetjes,

Pieter

 

[dbijman]

Sorry Pieter,

Ik snap niet wat je bedoeld?

 

[Bamekipa]

OK Pieter een nieuwe versie gedownload en gescaned.
Hier het resultaat:

Logfile of HijackThis v1.97.7
Scan saved at 13:58:47, on 11-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
C:\Program Files\O2Micro\AudioDJ\o2cd.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Keymaestro\Onscreen Display\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PAULLA~1\LOCALS~1\Temp\Rar$EX00.813\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O4 - Global Startup: POPUPENG.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.acer.com
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.5254976852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.picturestrip.net/picturestrip/_ps_ocx/xupload/xupload.ocx
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab


gr Paul

 

[Pieter Arntz]

Geplaatst door dbijman
Sorry Pieter,

Ik snap niet wat je bedoeld?

Deze is misschien wat duidelijker:
http://home.planet.nl/~kleyn080/hijackthisuitleg.html

We willen graag een HijackThis log zien dat je maakt nadat je met een geupdate versie van AdAware gescand hebt.

Groetjes,

Pieter

 

[marvel400]

Hallo Meneer de Tovenaar ik heb weer een log file die even gecontroleerd moet worden.
Ps is al gescand door adaware.
Alvast weer bedankt en tot de volgend keer.

Logfile of HijackThis v1.97.7
Scan saved at 15:10:09, on 11-6-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TBPANEL.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTTRAYAPP.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EMULE\EMULE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TIJDELIJKE INTERNET-BESTANDEN\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hebbes.hetnet.nl/default.asp?zo=1&cs=0&ds=hebbes&ct=clubs,pwp,netkrant
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Het Net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Systeemwerkbalk] SysTray.Exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON GHOST\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\TLC Domus\PrintMaster\Pmremind.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .scr: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\PROGRA~1\Intern~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hetnet.nl
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

 

[Pieter Arntz]

Geplaatst door Bamekipa

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ***

O4 - Global Startup: POPUPENG.EXE ???

Hoi bamekipa,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

*** is overbodig

De enige die ik niet ken is die popupeng.exe

Die extra balk waar zit die en hoe heet hij?

Groetjes,

Pieter

 

[dbijman]

Logfile of HijackThis v1.97.7
Scan saved at 15:43:58, on 11-6-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserve\casmrtbk.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\WMRUNDLL.EXE
z:\clntrust.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Spa Reine Zuiver Jezelf Alarm\Spa Reine Zuiver Jezelf Alarm.Exe
C:\WINNT\system32\internat.exe
C:\Program Files\Alcatel_PIMphony\aocphone.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\Novell\GroupWise\GrpWise.exe
C:\Novell\GroupWise\GWSync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\deborab\Bureaublad\Hickthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher=bm:8080;http=bm:8080;https=bm:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [WatchDogExe] C:\Program Files\Spa Reine Zuiver Jezelf Alarm\Spa Reine Zuiver Jezelf Alarm.Exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] C:\Program Files\iolo\System Mechanic 4 Professional\Search and Recover\DiskImageService.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PIMphony.lnk = C:\Program Files\Alcatel_PIMphony\aocphone.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.4490393519
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab


Van debora