Helpmij tegen spyware offensief (deel 5)

[Sami_nl]

Hoi Peter
Mijn kladblok is verdwijnen waarschijnlijk ik kan het niet vind (tot uurtje geleden was ie er nog), ik heb een .tex die ik al had geopend en daar een nieuwe pagina aangevraagd. Hier onder zet ik de inhoud van windows.txt

regf




Pugf hbin  ¨ÿÿÿnk, ˆl:Ä
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ø x ÿÿÿÿ 0  $  Windows Èþÿÿsk x x


”

  ì
  
  !
 €
  !   
  #
 €
  #  ? 
  
 
    ? 


 

  ? 
  
 


  

 Øÿÿÿvk  €

fùAppInit_DLLsÖæG °
Ðÿÿÿvk  

ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @ ðÿÿÿ9 0  ¸| Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þàÿÿÿvk  €

°ºSpooler2ðÿÿÿy e s Èn  °
à
0 ` ¨ àÿÿÿvk  €

=pswapdiskÐÿÿÿvk  

R¿TransmissionRetryTimeoutàÿÿÿ°
à
0 ` ¨ È  Ðÿÿÿvk  €' 
f USERProcessHandleQuota0 ¸

 

[arjan480]

Beste Pieter

Moet ik dus wel gwoon deze bestanden verwijderen:

C:\WINDOWS\system32\osyhz.dll
C:\WINDOWS\system32\wingl.dat
C:\Program Files\Common Files\Java\breg.exe
C:\Program Files\Common Files\slmss <= de hele map

Groetjes,

Arjan

 

[H@ns]

Re: Beste Pieter

Geplaatst door arjan480
Moet ik dus wel gwoon deze bestanden verwijderen:

C:\WINDOWS\system32\osyhz.dll
C:\WINDOWS\system32\wingl.dat
C:\Program Files\Common Files\Java\breg.exe
C:\Program Files\Common Files\slmss <= de hele map

Groetjes,

Arjan

Volg Pieters advies maar even op:

Sla maar even over. Zie ik wel straks in het nieuwe log.

Groetjes,

Pieter

 

[Youri]

Re: Re: hijacklog

Geplaatst door Pieter Arntz


Hoi Youri,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\WINDOWS\System32\wnsinttr.exe

Groetjes,

Pieter

Hoi Pieter,

bedankt, hoor!
ik heb nu toch nog alles kunnen doen, ik hoop maar dat ik dat vervelende bericht niet meer te zien krijg!

sorry dat ik het eerst niet vond, hoor. Maar ja, zo'n dingen doe ik nu eenmaal niet veel.

Youri

 

[Sami_nl]

Ik heb mijn bericht even veranderd. Ik denk dat het een domme vraag was.
Hartstikke bedankt voor je hulp Peter.

:thumb:

 

[arjan480]

Beste Pieter

Ik heb dus het gedeelte van bestandjes verwijderen overgeslagen.
Hier heb je mijn ad-aware 6 log

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :donderdag 24 juni 2004 13:57:30
Created with Ad-aware Personal, free for private use.
Using reference-file :01R217 08.09.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


24-6-2004 13:57:30 - Scan started. (Custom mode)


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : adrie@a.as-eu.falkag[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:45
Last modified : 23-6-2004 14:01:30



Tracking Cookie Object recognized!
Type : File
Data : adrie@as-us.falkag[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:33:49
Last accessed : 24-6-2004 11:57:45
Last modified : 23-6-2004 22:33:49



Tracking Cookie Object recognized!
Type : File
Data : adrie@atdmt[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:45
Last modified : 23-6-2004 15:10:44



Tracking Cookie Object recognized!
Type : File
Data : adrie@bfast[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:45
Last modified : 23-6-2004 11:25:54



Tracking Cookie Object recognized!
Type : File
Data : adrie@bilbo.counted[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 11:35:38



Other Object recognized!
Type : File
Data : adrie@cgi-bin[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 14:01:02



Tracking Cookie Object recognized!
Type : File
Data : adrie@doubleclick[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 15:49:52



Tracking Cookie Object recognized!
Type : File
Data : adrie@ehg-deltatre.hitbox[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 15:51:20



Tracking Cookie Object recognized!
Type : File
Data : adrie@fastclick[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 15:53:50



Tracking Cookie Object recognized!
Type : File
Data : adrie@hitbox[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:53
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 15:51:20



Tracking Cookie Object recognized!
Type : File
Data : adrie@lop[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 21:54:38
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 21:54:38



Tracking Cookie Object recognized!
Type : File
Data : adrie@mediaplex[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 11:42:02



Tracking Cookie Object recognized!
Type : File
Data : adrie@stat.onestat[2].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:17:29
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 22:46:20



Tracking Cookie Object recognized!
Type : File
Data : adrie@targetnet[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 11:36:36



Tracking Cookie Object recognized!
Type : File
Data : adrie@tradedoubler[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 11:42:02



Tracking Cookie Object recognized!
Type : File
Data : adrie@tribalfusion[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:33:37
Last accessed : 24-6-2004 11:57:46
Last modified : 23-6-2004 22:33:37



Tracking Cookie Object recognized!
Type : File
Data : adrie@webads[1].txt
Object : C:\Documents and Settings\Adrie\Cookies\

Created on : 23-6-2004 22:47:53
Last accessed : 24-6-2004 11:07:15
Last modified : 23-6-2004 22:47:53



Ebates MoneyMaker Object recognized!
Type : File
Data : websavingsfromebates1.exe
Object : C:\Program Files\WebSavingsfromEbates\
FileSize : 24 KB
Created on : 23-6-2004 21:52:18
Last accessed : 24-6-2004 12:01:08
Last modified : 23-6-2004 15:36:12



WebHancer Object recognized!
Type : File
Data : whagent.inf
Object : C:\Program Files\whInstall\
FileSize : 4 KB
Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 12:01:09
Last modified : 13-5-2004 8:03:10



WebHancer Object recognized!
Type : File
Data : whagent.ini
Object : C:\Program Files\whInstall\

Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 12:01:09
Last modified : 19-7-2001 19:33:26



WebHancer Object recognized!
Type : File
Data : whinstaller.exe
Object : C:\Program Files\whInstall\
FileSize : 32 KB
FileVersion : 3.3.0
ProductVersion : 3.3.0
Copyright : Copyright
CompanyName : webHancer Corporation
FileDescription : webHancer Installer
InternalName : whInstaller
OriginalFilename : whInstaller.exe
ProductName : webHancer Customer Companion
Created on : 23-6-2004 22:40:54
Last accessed : 24-6-2004 12:01:09
Last modified : 29-1-2004 8:30:26



WebHancer Object recognized!
Type : File
Data : whinstaller.ini
Object : C:\Program Files\whInstall\

Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:01:09
Last modified : 13-11-2003 13:29:00



My-Way Speedbar Object recognized!
Type : File
Data : a0301404.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 32 KB
FileVersion : 1, 0, 1, 1
ProductVersion : 1, 0, 1, 1
Copyright : Copyright
CompanyName : My Way
FileDescription : My Way Plugin for 32-bit Windows
InternalName : MyWayPlugin
OriginalFilename : NPMyWay.DLL
ProductName : My Way Plugin
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:00
Last modified : 1-3-2004 21:26:30



PeopleOnPage Object recognized!
Type : File
Data : a0301407.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 140 KB
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:00
Last modified : 1-1-2004 20:43:02



SecondThought Object recognized!
Type : File
Data : a0301408.exe
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 87 KB
FileVersion : 8.0.7.1
ProductVersion : 8.0.7.1
Copyright : Copyright (C) 2003
FileDescription : Second Thought
InternalName : STC
OriginalFilename : STC.exe
ProductName : STC Application
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:01
Last modified : 17-1-2004 14:55:24



PeopleOnPage Object recognized!
Type : File
Data : a0301409.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 140 KB
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:01
Last modified : 5-3-2004 21:35:30



Lop.com Object recognized!
Type : File
Data : a0301410.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 32 KB
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:01
Last modified : 18-3-2004 21:10:18



NCase Object recognized!
Type : File
Data : a0301411.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP220\
FileSize : 40 KB
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:04:01
Last modified : 26-3-2004 10:42:14



New.Net Object recognized!
Type : File
Data : a0301594.dll
Object : C:\System Volume Information\_restore{683D25C9-AEB7-4296-98CB-96296C0B7790}\RP221\
FileSize : 164 KB
FileVersion : 3, 0, 0, 88
ProductVersion : 3, 0, 0, 88
Copyright : Copyright 2000-2002 New.net, Inc.
CompanyName : New.net, Inc.
FileDescription : New.net Domains
InternalName : tldctl2
OriginalFilename : tldctl2.dll
ProductName : New.net Domains
Created on : 23-6-2004 13:50:35
Last accessed : 24-6-2004 12:04:04
Last modified : 23-6-2004 13:50:34



WebHancer Object recognized!
Type : File
Data : whagent.inf
Object : C:\WINDOWS\
FileSize : 4 KB
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:08:55
Last modified : 13-5-2004 8:03:10



WebHancer Object recognized!
Type : File
Data : whinstaller.exe
Object : C:\WINDOWS\
FileSize : 32 KB
FileVersion : 3.3.0
ProductVersion : 3.3.0
Copyright : Copyright
CompanyName : webHancer Corporation
FileDescription : webHancer Installer
InternalName : whInstaller
OriginalFilename : whInstaller.exe
ProductName : webHancer Customer Companion
Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:08:55
Last modified : 29-1-2004 8:30:26



WebHancer Object recognized!
Type : File
Data : whinstaller.ini
Object : C:\WINDOWS\

Created on : 23-6-2004 22:40:55
Last accessed : 24-6-2004 12:08:55
Last modified : 23-6-2004 13:51:08



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 32

14:08:57 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:11:27:31
Objects scanned :164337
Objects identified :32
Objects ignored :0
New objects :32

 

[Pieter Arntz]

Geplaatst door Sami_nl
Hoi Peter
Mijn kladblok is verdwijnen waarschijnlijk ik kan het niet vind (tot uurtje geleden was ie er nog), ik heb een .tex die ik al had geopend en daar een nieuwe pagina aangevraagd. Hier onder zet ik de inhoud van windows.txt

In C:\WINDOWS\System32 kopieer je notepad naar C:\WINDOWS\System32
Mocht je de vraag krijgen of je de bestaande wil vervangen bevestig dat dan.

Kijk of het bestand C:\WINDOWS\System32\edid.dll weg is, zoniet, delete het en je bent klaar.

Groetjes,

Pieter

 

[Pieter Arntz]

Re: Beste Pieter

Geplaatst door arjan480
Ik heb dus het gedeelte van bestandjes verwijderen overgeslagen.
Hier heb je mijn ad-aware 6 log

Die mag je AdAware allemaal laten verwijderen.

Zet dan Systeemherstel uit, start opnieuw op en zet systeemherstel weer aan.

Maak dan een nieuw HijackThis log en post dat.

Groetjes,

Pieter

 

[Sami_nl]

Geplaatst door Pieter Arntz


In C:\WINDOWS\System32 kopieer je notepad naar C:\WINDOWS\System32

Volgens mij bedoel je van C:\WINDOWS naar C:\WINDOWS\System32?
Ik heb gewoon via C:\Windows een snelkoppeling van notepad.exe gemaakt en naar start menu gesleept.
Nogmaals bedankt voor je hulp.
Groetjes

 

[Pieter Arntz]

Geplaatst door Sami_nl


Volgens mij bedoel je van C:\WINDOWS naar C:\WINDOWS\System32?
Ik heb gewoon via C:\Windows een snelkoppeling van notepad.exe gemaakt en naar start menu gesleept.
Nogmaals bedankt voor je hulp.
Groetjes

LOL. Ik bedoelde eigenlijk van C:\WINDOWS\System32\DLLCache, maar dat mocht ook. :thumb:

Groetjes,

Pieter

 

[arjan480]

Beste pieter

Ik heb alles met AdAWARE removed.
Hier heb je mn hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 15:30:01, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ntsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINDOWS\System32\acledit.exe
C:\WINDOWS\System32\taskinf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\LITEHE~1\citywavedent.exe
C:\Program Files\BTV\btv.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\crer32.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\javaw.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Netropa\InetKb\ikbupd.exe
C:\COMPUTER CLEANING\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\burvb.dll/sp.html#44272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://burvb.dll/index.html#44272
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://burvb.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\burvb.dll/sp.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://burvb.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\burvb.dll/sp.html#44272
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE2A9DCD-CC21-E736-906F-ADD61A166985} - C:\WINDOWS\system32\mfciz32.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\FSC\Wireless Wheel Mouse\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe -invisible
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\acledit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [task] C:\WINDOWS\System32\taskinf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WipeStart] C:\PROGRA~1\LITEHE~1\citywavedent.exe
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [crer32.exe] C:\WINDOWS\system32\crer32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [addar32.exe] C:\WINDOWS\addar32.exe
O4 - HKLM\..\RunOnce: [winuw.exe] C:\WINDOWS\winuw.exe
O4 - HKLM\..\RunOnce: [d3ry32.exe] C:\WINDOWS\d3ry32.exe
O4 - HKLM\..\RunOnce: [winjp.exe] C:\WINDOWS\system32\winjp.exe
O4 - HKLM\..\RunOnce: [appjn32.exe] C:\WINDOWS\appjn32.exe
O4 - HKLM\..\RunOnce: [appjc.exe] C:\WINDOWS\system32\appjc.exe
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\system32\ntqf32.exe
O4 - HKLM\..\RunOnce: [appdu32.exe] C:\WINDOWS\system32\appdu32.exe
O4 - HKLM\..\RunOnce: [winhe.exe] C:\WINDOWS\winhe.exe
O4 - HKLM\..\RunOnce: [atlta32.exe] C:\WINDOWS\atlta32.exe
O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\system32\sdkep.exe
O4 - HKLM\..\RunOnce: [netfo32.exe] C:\WINDOWS\netfo32.exe
O4 - HKLM\..\RunOnce: [crtb.exe] C:\WINDOWS\system32\crtb.exe
O4 - HKLM\..\RunOnce: [nthl32.exe] C:\WINDOWS\system32\nthl32.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\system32\ippf.exe
O4 - HKLM\..\RunOnce: [addqq32.exe] C:\WINDOWS\addqq32.exe
O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\system32\mfceo32.exe
O4 - HKLM\..\RunOnce: [ntjq.exe] C:\WINDOWS\system32\ntjq.exe
O4 - HKLM\..\RunOnce: [atlhv.exe] C:\WINDOWS\atlhv.exe
O4 - HKLM\..\RunOnce: [iecw32.exe] C:\WINDOWS\iecw32.exe
O4 - HKLM\..\RunOnce: [msyd.exe] C:\WINDOWS\system32\msyd.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\system32\sdknn32.exe
O4 - HKLM\..\RunOnce: [appsw32.exe] C:\WINDOWS\system32\appsw32.exe
O4 - HKLM\..\RunOnce: [atlqh32.exe] C:\WINDOWS\system32\atlqh32.exe
O4 - HKLM\..\RunOnce: [atlpk32.exe] C:\WINDOWS\system32\atlpk32.exe
O4 - HKLM\..\RunOnce: [ntul32.exe] C:\WINDOWS\system32\ntul32.exe
O4 - HKLM\..\RunOnce: [sdkdv32.exe] C:\WINDOWS\system32\sdkdv32.exe
O4 - HKLM\..\RunOnce: [netsk32.exe] C:\WINDOWS\system32\netsk32.exe
O4 - HKLM\..\RunOnce: [appot.exe] C:\WINDOWS\system32\appot.exe
O4 - HKLM\..\RunOnce: [sdkha.exe] C:\WINDOWS\system32\sdkha.exe
O4 - HKLM\..\RunOnce: [d3tx32.exe] C:\WINDOWS\system32\d3tx32.exe
O4 - HKLM\..\RunOnce: [apihu32.exe] C:\WINDOWS\apihu32.exe
O4 - HKLM\..\RunOnce: [sdkzk32.exe] C:\WINDOWS\system32\sdkzk32.exe
O4 - HKLM\..\RunOnce: [d3jx32.exe] C:\WINDOWS\system32\d3jx32.exe
O4 - HKLM\..\RunOnce: [atlcf.exe] C:\WINDOWS\system32\atlcf.exe
O4 - HKLM\..\RunOnce: [appnh32.exe] C:\WINDOWS\appnh32.exe
O4 - HKLM\..\RunOnce: [ntjx32.exe] C:\WINDOWS\system32\ntjx32.exe
O4 - HKLM\..\RunOnce: [addjc.exe] C:\WINDOWS\system32\addjc.exe
O4 - HKLM\..\RunOnce: [mswv.exe] C:\WINDOWS\system32\mswv.exe
O4 - HKLM\..\RunOnce: [iezi32.exe] C:\WINDOWS\system32\iezi32.exe
O4 - HKLM\..\RunOnce: [mfczw32.exe] C:\WINDOWS\mfczw32.exe
O4 - HKLM\..\RunOnce: [apihh.exe] C:\WINDOWS\system32\apihh.exe
O4 - HKLM\..\RunOnce: [netau.exe] C:\WINDOWS\netau.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install013.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2009259259
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB0578ED-E672-4697-9663-EC5A0460B949} (SomaticCAB.Setup) - http://downloads.searchcentrix.com/install/weblz.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{680223C7-293D-4567-98A3-D3181A965FE7}: NameServer = 195.121.1.34 195.121.1.66

Groeten,

Arjan

 

[roelie2003]

Kan iemand hier ff na kijken? Alvast bedankt!!!


Logfile of HijackThis v1.97.7
Scan saved at 15:31:00, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Nieuwe map\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.0.9.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.2612152778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://217.73.66.1/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

[bertvane]

Hallo Pieter,

Heb gedaan wat je adviseerde, en dit is wat ik in het kladblok vond:

regf




Pugf hbin  ¨ÿÿÿnk, ’ZÒÕWÄ
ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < t©L[ Windowsµÿÿÿsk x x
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Ðÿÿÿvk  ˜


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  f¡O† h
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  |. àÿÿÿvk  

°ºSpooler2ðÿÿÿy e s è! àÿÿÿvk  €


swapdisk h
°
ð
 X Ðÿÿÿvk  à


ÏTransmissionRetryTimeoutÐÿÿÿvk  €' 
ÂaUSERProcessHandleQuotaVmàÿÿÿh
°
ð
 X ˆ Ø Øÿÿÿvk < 

AppInit_DLLs ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s o a d . d l l À

 

[Spyware_hater]

Heejja peter ,

Kan je ff een kijkje nemen in me log, kijken of er nog wat rotzooi in staat?

Logfile of HijackThis v1.97.7
Scan saved at 15:26:09, on 24/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIJN DOCUMENTEN\MIJN ONTVANGEN BESTANDEN\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com
@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com
@www.efinder.cc/search/ (obfuscated)
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {461206E2-B099-11D8-8F18-000C1A682AC9} - C:\WINDOWS\SYSTEM\ILL.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS\SR.DLL
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL
O2 - BHO: (no name) - {62160EEF-9D84-4C19-B7B8-6AC2526CD726} - C:\WINDOWS\SYSTEM\IFACUQO.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O13 - DefaultPrefix: http://nkvd.us/
O13 - WWW Prefix: http://nkvd.us/
O13 - WWW. Prefix: http://ehttp.cc/?
O13 - Home Prefix: http://nkvd.us/
O13 - Mosaic Prefix: http://nkvd.us/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//tv/main.chm::/load.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.98.176.62/EPlugin_NL.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:\explorer.mht!http://www.cameup.com/download2/bar.chm::/ToolBand.exe

Alvast bedankt he :thumb:

 

[Pieter Arntz]

Re: Beste pieter

Geplaatst door arjan480

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\burvb.dll/sp.html#44272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://burvb.dll/index.html#44272
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://burvb.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\burvb.dll/sp.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://burvb.dll/index.html#44272
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\burvb.dll/sp.html#44272

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?keyphrase=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html

O2 - BHO: (no name) - {CE2A9DCD-CC21-E736-906F-ADD61A166985} - C:\WINDOWS\system32\mfciz32.dll

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe -invisible
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [WinDSNX] C:\WINDOWS\System32\acledit.exe

O4 - HKLM\..\Run: [WipeStart] C:\PROGRA~1\LITEHE~1\citywavedent.exe
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"

O4 - HKLM\..\Run: [crer32.exe] C:\WINDOWS\system32\crer32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

O4 - HKLM\..\RunOnce: [addar32.exe] C:\WINDOWS\addar32.exe
O4 - HKLM\..\RunOnce: [winuw.exe] C:\WINDOWS\winuw.exe
O4 - HKLM\..\RunOnce: [d3ry32.exe] C:\WINDOWS\d3ry32.exe
O4 - HKLM\..\RunOnce: [winjp.exe] C:\WINDOWS\system32\winjp.exe
O4 - HKLM\..\RunOnce: [appjn32.exe] C:\WINDOWS\appjn32.exe
O4 - HKLM\..\RunOnce: [appjc.exe] C:\WINDOWS\system32\appjc.exe
O4 - HKLM\..\RunOnce: [ntqf32.exe] C:\WINDOWS\system32\ntqf32.exe
O4 - HKLM\..\RunOnce: [appdu32.exe] C:\WINDOWS\system32\appdu32.exe
O4 - HKLM\..\RunOnce: [winhe.exe] C:\WINDOWS\winhe.exe
O4 - HKLM\..\RunOnce: [atlta32.exe] C:\WINDOWS\atlta32.exe
O4 - HKLM\..\RunOnce: [sdkep.exe] C:\WINDOWS\system32\sdkep.exe
O4 - HKLM\..\RunOnce: [netfo32.exe] C:\WINDOWS\netfo32.exe
O4 - HKLM\..\RunOnce: [crtb.exe] C:\WINDOWS\system32\crtb.exe
O4 - HKLM\..\RunOnce: [nthl32.exe] C:\WINDOWS\system32\nthl32.exe
O4 - HKLM\..\RunOnce: [ippf.exe] C:\WINDOWS\system32\ippf.exe
O4 - HKLM\..\RunOnce: [addqq32.exe] C:\WINDOWS\addqq32.exe
O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\system32\mfceo32.exe
O4 - HKLM\..\RunOnce: [ntjq.exe] C:\WINDOWS\system32\ntjq.exe
O4 - HKLM\..\RunOnce: [atlhv.exe] C:\WINDOWS\atlhv.exe
O4 - HKLM\..\RunOnce: [iecw32.exe] C:\WINDOWS\iecw32.exe
O4 - HKLM\..\RunOnce: [msyd.exe] C:\WINDOWS\system32\msyd.exe
O4 - HKLM\..\RunOnce: [sdknn32.exe] C:\WINDOWS\system32\sdknn32.exe
O4 - HKLM\..\RunOnce: [appsw32.exe] C:\WINDOWS\system32\appsw32.exe
O4 - HKLM\..\RunOnce: [atlqh32.exe] C:\WINDOWS\system32\atlqh32.exe
O4 - HKLM\..\RunOnce: [atlpk32.exe] C:\WINDOWS\system32\atlpk32.exe
O4 - HKLM\..\RunOnce: [ntul32.exe] C:\WINDOWS\system32\ntul32.exe
O4 - HKLM\..\RunOnce: [sdkdv32.exe] C:\WINDOWS\system32\sdkdv32.exe
O4 - HKLM\..\RunOnce: [netsk32.exe] C:\WINDOWS\system32\netsk32.exe
O4 - HKLM\..\RunOnce: [appot.exe] C:\WINDOWS\system32\appot.exe
O4 - HKLM\..\RunOnce: [sdkha.exe] C:\WINDOWS\system32\sdkha.exe
O4 - HKLM\..\RunOnce: [d3tx32.exe] C:\WINDOWS\system32\d3tx32.exe
O4 - HKLM\..\RunOnce: [apihu32.exe] C:\WINDOWS\apihu32.exe
O4 - HKLM\..\RunOnce: [sdkzk32.exe] C:\WINDOWS\system32\sdkzk32.exe
O4 - HKLM\..\RunOnce: [d3jx32.exe] C:\WINDOWS\system32\d3jx32.exe
O4 - HKLM\..\RunOnce: [atlcf.exe] C:\WINDOWS\system32\atlcf.exe
O4 - HKLM\..\RunOnce: [appnh32.exe] C:\WINDOWS\appnh32.exe
O4 - HKLM\..\RunOnce: [ntjx32.exe] C:\WINDOWS\system32\ntjx32.exe
O4 - HKLM\..\RunOnce: [addjc.exe] C:\WINDOWS\system32\addjc.exe
O4 - HKLM\..\RunOnce: [mswv.exe] C:\WINDOWS\system32\mswv.exe
O4 - HKLM\..\RunOnce: [iezi32.exe] C:\WINDOWS\system32\iezi32.exe
O4 - HKLM\..\RunOnce: [mfczw32.exe] C:\WINDOWS\mfczw32.exe
O4 - HKLM\..\RunOnce: [apihh.exe] C:\WINDOWS\system32\apihh.exe
O4 - HKLM\..\RunOnce: [netau.exe] C:\WINDOWS\netau.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install013.exe

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {BB0578ED-E672-4697-9663-EC5A0460B949} (SomaticCAB.Setup) - http://downloads.searchcentrix.com/install/weblz.CAB

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Hoi Arjan,

Unzip hijackthis.exe eerst naar een aparte map. Het programma maakt backups in de map waar de .exe zich bevindt. In een Temp map verdwijnen die nogal gemakkelijk.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder de volgende mappen:
C:\Program Files\Web_Rebates
C:\Program Files\WebSavingsfromEbates
C:\Program Files\BTV
C:\Program Files\Common Files\slmss
C:\Program Files\NowOnline

Start dan weer normaal op. Maak weer een nieuw HijackThis log en post dat.

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door roelie2003

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://217.73.66.1/del/loader.cab

Hoi roelie2003,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start dan opnieuw op in veilige modus en verwijder:
C:\Program Files\Internet Optimizer <= de hele map
C:\WINDOWS\System32\automove.exe

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door bertvane
Hallo Pieter,

Heb gedaan wat je adviseerde, en dit is wat ik in het kladblok vond:
AppInit_DLLs ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ m s o a d . d l l À

Hoi bertvane,

- Open een opdracht prompt.
- open Taakbeheer en beeindig alle processen explorer.exe
- In de command prompt tik je de volgende commando's (gebruik de ENTER toets na elke regel)
cd ..
cd ..
REM als het goed is staat hij nu op C:>
cd windows
cd system32
del msoad.dll
cd ..
REM als het goed is staat hij nu op C:\Windows
explorer.exe

Je achtergrond en taakbalk komen nu weer tevoorschijn.
Scan nu je computer met een geupdate AdAware.
Mocht je onderweg verdwaald raken. Je kunt explorer ook weer starten door Ctrl-Alt-Del > Taakbeheer > Toepassingen Tabblad > Nieuwe taak > C:\WINDOWS\EXPLORER.EXE

Groetjes,

Pieter

 

[bigfoot2]

Logfile of HijackThis v1.97.7
Scan saved at 16:44:04, on 24-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Trust\WIRELE~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\Trust\WIRELE~1\Mouse\Amoumain.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\mslagent\mslagent_.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\kurt\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=135223
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135223
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://djtai.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://djtai.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxi.telenet.be:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.be/Default.asp?Ath=f
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O2 - BHO: (no name) - {9CDF816C-8317-FED9-C148-B90DE22A7375} - C:\WINDOWS\system32\ipkw32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Trust\WIRELE~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Trust\WIRELE~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [ipmf32.exe] C:\WINDOWS\ipmf32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1015.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN_XP.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1013_EN_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

 

[Pieter Arntz]

Geplaatst door Spyware_hater
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\ILL.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com
@[url]www.efinder.cc/search/[/url] (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com
@[url]www.efinder.cc/search/[/url] (obfuscated)
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {461206E2-B099-11D8-8F18-000C1A682AC9} - C:\WINDOWS\SYSTEM\ILL.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - C:\WINDOWS\SR.DLL
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL
O2 - BHO: (no name) - {62160EEF-9D84-4C19-B7B8-6AC2526CD726} - C:\WINDOWS\SYSTEM\IFACUQO.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)

O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029

O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O13 - DefaultPrefix: http://nkvd.us/
O13 - WWW Prefix: http://nkvd.us/
O13 - WWW. Prefix: http://ehttp.cc/?
O13 - Home Prefix: http://nkvd.us/
O13 - Mosaic Prefix: http://nkvd.us/

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//tv/main.chm::/load.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.98.176.62/EPlugin_NL.cab
O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://c:\explorer.mht!http://www.cameup.com/download2/bar.chm::/ToolBand.exe

Of er nog rotzooi in staat, vraagt'ie
Als ik iets nuttigs zoals een Antivirus of een firewall gemist heb moet je het zeggen.

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: CWShredder
Gebruik de Fix knop en volg de aanwijzingen van het programma op.

Start dan opnieuw op in veilige modus en verwijder:
C:\Program Files\INCREDIFIND <= de hele map
C:\Program Files\MYWEBSEARCH <= de hele map
C:\Program Files\Common files\updmgr <= de hele map

Groetjes,

Pieter

 

[Pieter Arntz]

Geplaatst door bigfoot2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=135223
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135223
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://djtai.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://djtai.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\djtai.dll/sp.html#10213

O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll (file missing)
O2 - BHO: (no name) - {9CDF816C-8317-FED9-C148-B90DE22A7375} - C:\WINDOWS\system32\ipkw32.dll (file missing)

O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [ipmf32.exe] C:\WINDOWS\ipmf32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1015.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN_XP.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1013_EN_XP.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

Hoi bigfoot2,

Vink de bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run: CWShredder
Gebruik de Fix knop en volg de aanwijzingen van het programma op.

Download, installeer en update dan AdAware en scan ermee. Link voor download en uitleg: http://home.planet.nl/~kleyn080/Spywareinfonl.html

Groetjes,

Pieter