Helpmij tegen spyware offensief (deel 5)

Olav · 15 jun 2004

Re: spyware

Geplaatst door ingeborg 1
Kan mijn startpagina niet openen, ivm steeds terugkomend search bar

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.swingcafefriends.nl

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {19B639A0-B950-87C3-87D2-7E805C4C6126} - C:\PROGRA~1\ABOUTD~1\globalchic.dll (file missing)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll

O3 - Toolbar: Live bolt tool - {1B666EBE-1213-38CA-20FF-108229724A59} - C:\PROGRA~1\ABOUTD~1\globalchic.dll (file missing)

O4 - HKLM\..\Run: [DQWAGN] C:\WINDOWS\DQWAGN.exe

O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START

O4 - HKLM\..\Run: [vhfdpoew] C:\WINDOWS\jbixac.exe

O4 - HKLM\..\Run: [Lite Link] C:\PROGRA~1\UPSIZE~1\Online keep.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [slpkzkv] C:\WINDOWS\ighirj.exe
O4 - HKLM\..\Run: [dkbcaw] C:\WINDOWS\System32\klduna.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab

O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabrikasi.com/nl/058745nl.exe

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/serialzip.cab
O16 - DPF: {E3802230-F0E2-4A75-9947-EAB78DD8153F} (InstallerX Class) - http://www.klikeuro.nl/cab/EroWebInstaller.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.swingcafefriends.nl/admin/XUpload.ocx

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlaccell.CAB

Hallo Ingeborg,
het is al een wondertje dat je uberhaupt hier kan komen.
Nou stroop de mouwen op en we gaan aan de slag.

Download CWShredder
Maar start hem nog niet op, dat doen we als we klaar zijn met Hijack This.

In Hijack This, vink alle bovenstaande items (zie quote) aan.
Sluit alle schermen, behalve Hijack This zelf.
Klik vervolgens op "Fix Checked"

Open nu CWShredder en klik op de knop "Fix"
Volg de aanwijzingen nauwkeurig op.

Herstart de PC op in veilige modus
Zorg dat in de map opties van Windows Verkenner (Menu Extra --> Mapopties --> Tabblad "Weergave") "Verborgen mappen en bestanden weergeven" aan staat.

Verwijder via Windows verkenner de volgende zaken (mits nog aanwezig):
C:\Program Files\NewDotNet\ <-- hele map
C:\Program Files\NowOnline\ <-- hele map
C:\PROGRA~1\UPSIZE~1\ <-- hele map
C:\PROGRA~1\ABOUTD~1\ <-- hele map

C:\WINDOWS\alchem.exe <-- bestand
C:\WINDOWS\DQWAGN.exe <-- bestand
C:\WINDOWS\ighirj.exe <-- bestand
C:\WINDOWS\jbixac.exe <-- bestand
C:\WINDOWS\mxTarget.dll <-- bestand
C:\WINDOWS\System32\com.exe <-- bestand
C:\WINDOWS\System32\klduna.exe <-- bestand

Herstart de PC weer normaal op.

Scan daarna online je PC hier op virussen en trojans.

Scan daarna nogmaals met Hijack This om te controleren of alle troep weg is.

Succes,
Olav

daltoni · 15 jun 2004

bedankt

Pieter , langs deze weg wil ik je bedanken voor de oplossing.
Groetjes Daltoni

Olav · 15 jun 2004

Re: Logfile

Geplaatst door spuitgast
Probleem met opstart pagina internet explorer telkens de pagina Nowonline/Portal. Kan hem verwijderen in HijackThis maar dan krijg ik de melding bij het opstarten van internet explorer dat hij die site niet kan vinden, dus zit er ergens nog een verborgen opstartbestand.
Kan iemand mij daar antwoord op geven en staan er misschien ook nog meer vreemde dingen in mijn logfile die verwijderd kunnen worden?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank

R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)

O4 - HKLM\..\Run: [48844546.exe] C:\WINNT\System32\48844546.exe

O4 - HKLM\..\Run: [sjkkzubr] C:\WINNT\wjjzfs.exe

O4 - HKLM\..\Run: [qsowszbv] C:\WINNT\dhhsbp.exe
O4 - HKLM\..\Run: [ouyptazo] C:\WINNT\hayvhf.exe
O4 - HKLM\..\Run: [oephfqpz] C:\WINNT\wmyzrj.exe
O4 - HKLM\..\Run: [nidweean] C:\WINNT\mzhcgv.exe
O4 - HKLM\..\Run: [bfyqaqfu] C:\WINNT\lyuawk.exe

O4 - HKLM\..\Run: [CLSID] C:\WINNT\system32\com.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/dlaccell.CAB

Hallo Spuitgast,
In Hijack This, vink alle bovenstaande items (zie quote) aan.
Sluit alle schermen, behalve Hijack This zelf.
Klik vervolgens op "Fix Checked"
Herstart de PC op in veilige modus
Zorg dat in de map opties van Windows Verkenner (Menu Extra --> Mapopties --> Tabblad "Weergave") "Verborgen mappen en bestanden weergeven" aan staat.

Verwijder via Windows verkenner de volgende zaken (mits nog aanwezig):

C:\Program Files\NowOnline\ <-- hele map
C:\WINNT\System32\48844546.exe <-- bestand
C:\WINNT\System32\48844546.exe <-- bestand
C:\WINNT\system32\com.exe <-- bestand
C:\WINNT\wjjzfs.exe <-- bestand
C:\WINNT\dhhsbp.exe <-- bestand
C:\WINNT\hayvhf.exe <-- bestand
C:\WINNT\wmyzrj.exe <-- bestand
C:\WINNT\mzhcgv.exe <-- bestand
C:\WINNT\lyuawk.exe <-- bestand

Herstart de PC weer normaal op en scan nogmaals met Hijack This om te controleren of alle troep weg is.

Succes,
Olav

adekens · 16 jun 2004

Logfile of HijackThis v1.97.7
Scan saved at 3:19:11, on 16-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trust\250S Series\lwbwheel.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\com.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Microsoft DirectX] niks123.exe
O4 - HKLM\..\Run: [Microsoft Office] lserv.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] niks123.exe
O4 - HKLM\..\RunServices: [Microsoft Office] lserv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Office] lserv.exe
O4 - HKCU\..\Run: [Microsoft DirectX] niks123.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - http://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38137.245625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9354E439-8C40-4F7B-BC10-255BA6C01CD5}: NameServer = 194.134.5.5 194.134.0.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{9354E439-8C40-4F7B-BC10-255BA6C01CD5}: NameServer = 194.134.5.5 194.134.0.97

Heb eerst gescand met spybot search and destroy

ik weet zeker dat ik niet clean ben want mijn startpagina veranderd steeds en of ik moet inbellen dan veranderd mijn wachtwoord steeds weer in een foutieve wachtwoord nadat ik de computer opnieuw opstart

André Klaver · 16 jun 2004

Pieter, dank je wel.

:thumb:

Pieter Arntz · 16 jun 2004

Geplaatst door adekens

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html

O4 - HKLM\..\Run: [Microsoft DirectX] niks123.exe
O4 - HKLM\..\Run: [Microsoft Office] lserv.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe

O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] niks123.exe
O4 - HKLM\..\RunServices: [Microsoft Office] lserv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe

O4 - HKCU\..\Run: [Microsoft Office] lserv.exe
O4 - HKCU\..\Run: [Microsoft DirectX] niks123.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

Hoi adekens,

Die dialer is niet je ergste probleem.
Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\System32\com.exe
C:\Program Files\NowOnline <= de hele map

Surf dan naar www.housecall.nl en laat je computer scanen op virussen. Ik ben bang dat er iets doorgeglipt is dat je NAV heeft uitgeschakeld.

Groetjes,

Pieter

Pieter Arntz · 16 jun 2004

Geplaatst door evast
Pieter zoals gevraagd de scan van dat andere programma. Heb gedaan wat je gevraagd hebt, maar een paar zaken keren terug. Mijn startpagina van IE begint met blanc, maar daarna krijg je weer de ongevraagde troep.
In ieder geval reeds bedankt dat je mij wil helpen.

Hoi evast,

Dit is een nieuwe variant. We zijn er nog mee bezig om uit te vinden hoe het precies werkt.
Zou je een nieuw topic willen starten hier in spyware met je HijackThis log? Zet er dan wel even bij dat je dat op mijn verzoek doet, ander wordt hij meteen weer gesloten.

Groetjes,

Pieter

johandezeeuw · 16 jun 2004

hijak this

Logfile of HijackThis v1.97.7
Scan saved at 10:44:20, on 16-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michel\Bureaublad\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teammoser-ah.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://10.0.0.2/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Internet Anonym - {00000000-0002-0002-0000-000000000000} - c:\program files\steganos internet anonym pro 6\siaiep.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.standbyservice.nl
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38143.1806597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Pieter Arntz · 16 jun 2004

Re: hijak this

Geplaatst door johandezeeuw
Logfile of HijackThis v1.97.7
Scan saved at 10:44:20, on 16-6-2004

:thumb: Gelukt. Goed werk. :thumb:

Groetjes,

Pieter

ikbenjamin · 16 jun 2004

Hallo,

Kunnen jullie mijn log misschien nog een keer nakijken? Alvast bedankt.

Grtz. Ikbenjamin

Logfile of HijackThis v1.97.7
Scan saved at 12:19:52, on 16-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Benjamin Veldhuizen\Bureaublad\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66D91434-E330-4152-BD08-F2B7E1A2EBDB}: NameServer = 195.121.1.34 195.121.1.66

jongerius · 16 jun 2004

Eey ik heb ff een vraagje..ik heb gisteren het programma PC Boost gedownload. Nu kreeg ik vanmorgen tijdens het opstarten een bericht dat het illegale software is etc. Ik heb het programma verwijderd maar het scherm blijft terugkomen elke keer als ik de computer opstart...

Hier mijn Log:

Logfile of HijackThis v1.97.7
Scan saved at 12:16:21, on 16-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rick\Mijn documenten\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlinesoccermanager.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.standbyservice.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {28B060EC-AE33-3099-155C-D20073195874} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\nl\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Piracy] "C:\DOCUME~1\Rick\LOCALS~1\Temp\SysUtil.exe" /PIRACY
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.standbyservice.nl
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9F14F9-9DE6-46F6-B455-1B33479B82A2}: NameServer = 195.121.1.34 195.121.1.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B9F14F9-9DE6-46F6-B455-1B33479B82A2}: NameServer = 195.121.1.34 195.121.1.66

BVD

Pieter Arntz · 16 jun 2004

Geplaatst door ikbenjamin

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Hoi ikbenjamin,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download dan: http://tools.zerosrealm.com/dllfix.exe

Dubbelklik erop en installeer ergens op C:\

Run start.bat en kies option 1. In dezelfde map wordt dan 'output.txt' gemaakt.

Post de inhoud daarvan.

Groetjes,

Pieter

Pieter Arntz · 16 jun 2004

Geplaatst door jongerius

R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)

O2 - BHO: (no name) - {28B060EC-AE33-3099-155C-D20073195874} - (no file)

O4 - HKCU\..\Run: [Piracy] "C:\DOCUME~1\Rick\LOCALS~1\Temp\SysUtil.exe" /PIRACY

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB

Hoi jongerius,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op.

Als je de illegale versie inderdaad verwijderd hebt zou hij nu weg moeten blijven.

Groetjes,

Pieter

jongerius · 16 jun 2004

Thnx pieter, tis gelukt :thumb: Grtz

ikbenjamin · 16 jun 2004

Geplaatst door Pieter Arntz

Hoi ikbenjamin,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download dan: http://tools.zerosrealm.com/dllfix.exe

Dubbelklik erop en installeer ergens op C:\

Run start.bat en kies option 1. In dezelfde map wordt dan 'output.txt' gemaakt.

Post de inhoud daarvan.

Groetjes,

Pieter

Hierbij de output:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

wo 16-06-2004
14:39

System Info:

Microsoft Windows XP [versie 5.1.2600]
C: "" (88CB:0433) - FS:NTFS clusters:4k
Total: 137 426 010 112 [128G] - Free: 125 793 943 552 [117G]

*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.
\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error

Scanning for main Hijacker:

Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{673B5183-A098-4227-A620-4F055503E6C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read INGEBOUWD\Gebruikers
(IO) ALLOW Read INGEBOUWD\Gebruikers
(NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access INGEBOUWD\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access INGEBOUWD\Administrators
(IO) ALLOW Full access MAKER EIGENAAR

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read INGEBOUWD\Gebruikers
Read INGEBOUWD\Hoofdgebruikers
Full access INGEBOUWD\Administrators
Full access NT AUTHORITY\SYSTEM

karine · 16 jun 2004

Hallo,

Willen jullie eens kijken of hier wat in staat ?

Logfile of HijackThis v1.97.7
Scan saved at 14:41:54, on 16/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
D:\MY DOCUMENTS\HIJACKTHIS.EXE

F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Lotus Organizer 2.1.LNK = C:\lotorga\organize\organize.exe
O4 - User Startup: Lotus Organizer 2.1.LNK = C:\lotorga\organize\organize.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38131.9612962963

Telkens ik scan met ad-awere vindt hij deze regels.
Ook als ik deze verwijder staan ze er volgende keer weer.Zijn ze misschien van Windows 98 zelf ?

Vendor

ossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about :blank")
Last Activity:16-06-04
Risk LevelMedium
Comment

ossible browser hijack attempt
Description

ossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Vendor

ossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:.Default\Software\Microsoft\Internet Explorer\Main "Start Page" ("about :blank")
Last Activity:16-06-04
Risk LevelMedium
Comment

ossible browser hijack attempt
Description

ossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

__________________
K.G

Pieter Arntz · 16 jun 2004

Geplaatst door ikbenjamin

\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSDFC.DLL +++ File read error

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{0A5E6D6B-4D60-4336-B00B-AAA46C034C4A}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.

Draai runme.bat nog een keer en kies optie 2 en kies 1
Geef als naam op C:\WINDOWS\System32\MSDFC.DLL

Scan daarna nog een keer met een volledig geupdate AdAware.

Groetjes,

Pieter

Pieter Arntz · 16 jun 2004

Geplaatst door karine
Hallo,

Willen jullie eens kijken of hier wat in staat ?

Telkens ik scan met ad-awere vindt hij deze regels.
Ook als ik deze verwijder staan ze er volgende keer weer.Zijn ze misschien van Windows 98 zelf ?

Vendorossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:Software\Microsoft\Internet Explorer\Main "Start Page" ("about :blank")
Last Activity:16-06-04
Risk LevelMedium
Commentossible browser hijack attempt
Descriptionossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Vendorossible Browser Hijack attempt
Categoryata Miner
Object Type:RegData
Size:-
Location:.Default\Software\Microsoft\Internet Explorer\Main "Start Page" ("about :blank")
Last Activity:16-06-04
Risk LevelMedium
Commentossible browser hijack attempt
Descriptionossible attempt to control\redirect the browser. This object referrs to a "blacklisted" site.

Als jij het zelf zo ingesteld hebt dat je IE opstart met about: blank en about: blank is gewoon netjes leeg dan is er niets om je zorgen over te maken.
Je log is hartstikke netjes. :thumb:

Groetjes,

Pieter

WXena · 16 jun 2004

Geplaatst door H@NsiePanzzzer
Logfile of HijackThis v1.97.7
Scan saved at 15:00:06, on 15-6-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Je hebt zo te zien je Internet Explorer wél geupdate..

--------------------------------------------------------------------------------

Hoe kom je daar nou bij?

WXena,

Ga eens naar :
http://www.microsoft.com/downloads/...&DisplayLang=en

Kies de juiste taal aan de rechterkant voor je begint.

Groetjes,

Pieter

Ik ben net (voor de 3de keer trouwens al) op die pagina geweest, waarbij het volgende in beeld komt:

Set-up has already detected a newer versie of Internet Explorer already installed on this system. Setup cannot continue.

wajang · 16 jun 2004

Hallo Olav,

De log van mijn schoonzoon staat ergens in de 40 pagina's.
Heb bijna alles verwijderd wat je gezegd hebt, systeem loopt weer als een trein.
Alleen de 04 - Startup: Winbar.Ink = C:\Program files\Winbar\WinBar.exe hebben we laten staan.
Deze bar vinden we makkelijk.

Bedankt maar weer.

Helpmij tegen spyware offensief (deel 5)

Terugkerende gebruiker

Gebruiker

Terugkerende gebruiker

Gebruiker

Terugkerende gebruiker

Spywareslayer

Spywareslayer

Gebruiker

Spywareslayer

Gebruiker

Gebruiker

Spywareslayer

Spywareslayer

Gebruiker

Gebruiker

Terugkerende gebruiker

Spywareslayer

Spywareslayer

Nieuwe gebruiker

Terugkerende gebruiker

Wij waarderen jouw privacy