Helpmij tegen spyware offensief (deel 5)

Status
Niet open voor verdere reacties.
Geplaatst door Jeroentje80


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=144440
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=144440
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?np-hkcu

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [wryoxmvsxf] C:\WINDOWS\System32\oiytpl.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [sisipm] C:\WINDOWS\System32\sisipm.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKCU\..\Run: [hen] C:\WINDOWS\2.exe
O4 - HKCU\..\Run: [sp] C:\sp.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928517605/netzip/RdxIE601.cab
Klik om te vergroten...

hoi Jeroentje80,

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Download en run CWShredder
Gebruik de Fix knop en let goed op de aanwijzingen van het programma.

Start daarna opnieuw op en scan met AdAware.

Groetjes,

Pieter
 
Geplaatst door glass

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Esmir\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {F32567BA-D936-4368-8F79-93BE25C897E9} - C:\WINDOWS\System32\mao.dll

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
Klik om te vergroten...

Hoi glass,

Bovenstaande zijn degenen die gefixed moeten worden.

Lees de overige instructies hier:
http://www.helpmij.nl/forum/showthread.php?threadid=168347

Groetjes,

Pieter
 
Geplaatst door Haunter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ria\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {4C236F4C-2E1B-4A04-B649-36C9973DF267} - C:\windows\System32\hfbfn.dll
Klik om te vergroten...

Hoi Haunter,

Ga met bovenstaande gegevens verder in: http://www.helpmij.nl/forum/showthread.php?threadid=168347

Groetjes,

Pieter
 
Geplaatst door Önder
ERERERER.bmp


Nog bedankt hans.
Klik om te vergroten...

Wanneer leren jullie nu eens af om alles vanuit een zipmap te draaien. :rolleyes:

Eerst uitpakken, dan draaien.

Groetjes,

Pieter
 
ik heb volgens mij de trojan verwijderd, en wat moet er nou nog meer weg?

Logfile of HijackThis v1.97.7
Scan saved at 17:12:25, on 27-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\oiytpl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\peakers.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=144440
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=144440
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?np-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wryoxmvsxf] C:\WINDOWS\System32\oiytpl.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [peakers] C:\WINDOWS\System32\peakers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [hen] C:\WINDOWS\2.exe
O4 - HKCU\..\Run: [sp] C:\sp.exe
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928517605/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.3348726852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E15111B0-95AE-4C05-B91F-F4564057990C} (MovieSystem WAY) - http://servicesv4.moviesystem.com/cabs/msway.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF59DB43-6DD8-42BC-A9A8-EB64069469CE}: NameServer = 194.134.5.5 194.134.0.97
 
Beste Pieter,

Ik gebruik sinds kort ook hijackthis, aangezien adaware 6.181 en Spybot S&D 1.2 niet al mijn problemen oplosten. Ik zou graag weten wat er nog verwijderd moet worden, en ook wel start-ups ik kan verwijderen.

Ik heb eerder al de volgende verwijderd:
O4 - HKLM\..\Run: [browse bait] C:\PROGRA~1\1 Acid Nurb\bin does plus.exe
O2 - BHO: (no name) - {77958732-EA20-A42F-E9DD-A97DC843AB1D} - C:\PROGRA~1\DELETE~1\BalmDate.dll
O3 - Toolbar: licensedeaftick - {8837363A-F904-3FD5-732D-ED12E7487436} - C:\PROGRA~1\DELETE~1\BalmDate.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Hier is mijn log van dit moment, ik heb het gevoel dat er best aardig wat zooi tussen kan zitten:

Logfile of HijackThis v1.97.7
Scan saved at 17:13:42, on 27-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ahead\InCD\InCD.exe
D:\Daemon ****\daemon.exe
C:\Program Files\Philips ToUcam Camera\VProperty.exe
C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
C:\WINDOWS\System32\MMTray.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsgPlus.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
D:\CesarFTP\server.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
D:\CesarFTP\CesarFTP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\cwshredder\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fok.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://frontpage.fok.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Daemon ****\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ToUcamVProperty] C:\Program Files\Philips ToUcam Camera\VProperty.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MSN Messenger\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [vorbisenc] C:\WINDOWS\System32\vorbisenc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B88CCE57-2CDD-41DC-BF27-16E36E440EFD}: NameServer = 129.125.101.57,129.125.4.6

ALvast ontzettend bedankt voor je eventuele commentaar. Het is altijd fijn als er meer mensen zich inzetten voor het belang van een "schone" computer.


:thumb:

Groeten,
Jelle

P.S. ALs dit een log te veel is voor het moment; Ik heb iig alle tijd van de wereld
 
Laatst bewerkt:
Geplaatst door Pieter Arntz


Wanneer leren jullie nu eens af om alles vanuit een zipmap te draaien. :rolleyes:

Eerst uitpakken, dan draaien.

Groetjes,

Pieter
Klik om te vergroten...

Uitgepakt nog steeds zelfde resultaat. ;)
 
Geplaatst door obliterator
Beste Pieter,

Ik gebruik sinds kort ook hijackthis, aangezien adaware 6.181 en Spybot S&D 1.2 niet al mijn problemen oplosten. Ik zou graag weten wat er nog verwijderd moet worden, en ook wel start-ups ik kan verwijderen.

Ik heb eerder al de volgende verwijderd:
O4 - HKLM\..\Run: [browse bait] C:\PROGRA~1\1 Acid Nurb\bin does plus.exe
O2 - BHO: (no name) - {77958732-EA20-A42F-E9DD-A97DC843AB1D} - C:\PROGRA~1\DELETE~1\BalmDate.dll
O3 - Toolbar: licensedeaftick - {8837363A-F904-3FD5-732D-ED12E7487436} - C:\PROGRA~1\DELETE~1\BalmDate.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Hier is mijn log van dit moment, ik heb het gevoel dat er best aardig wat zooi tussen kan zitten:


ALvast ontzettend bedankt voor je eventuele commentaar. Het is altijd fijn als er meer mensen zich inzetten voor het belang van een "schone" computer.


:thumb:

Groeten,
Jelle

P.S. ALs dit een log te veel is voor het moment; Ik heb iig alle tijd van de wereld
Klik om te vergroten...

De zooi die je verwijderd hebt ziet er uit als lop.com/c2media

Deze vind ik een beetje verdacht:
O4 - HKCU\..\Run: [vorbisenc] C:\WINDOWS\System32\vorbisenc.exe
Ik vond wel een resultaat op Google, maar ik denk dat dat toeval was.

Kun je eens zien of je het bijbehorende bestand kunt vinden en of er onder Eigenschappen > versie tabblad iets op te maken is?

Groetjes,

Pieter
 
Geplaatst door Jeroentje80
ik heb volgens mij de trojan verwijderd, en wat moet er nou nog meer weg?
Klik om te vergroten...

Een paar berichtjes omhoog. (Eerste van deze bladzijde als je de standaardinstellingen van Helpmij gebruikt.)

Groetjes,

Pieter
 
Startpagina problemen

Allereerst groot respect voor wat jullie allemaal doen!!!

Ik kreeg vandaag plotseling problemen met mijn startpagina, deze verdween de hele tijd en telkens kwam onderstaand adres in beeld met 1 of 2 pop-ups met een tekst dat ik door Spyware ben geinfecteerd:

res://mqnfd.dll/index.html#37680

Misschien van belang, voordat ik jullie tekst had gelezen heb ik SpywareBlaster Version 3.1 gedownload en geinstalleerd, echter daar kwam ik ook niet veel verder mee.

Na zorgvuldig jullie uitleg te hebben doorgelezen, heb ik Ad-aware 6.181 gedownload, vervolgens heb ik HijackThis v1.97.1 gedownload. Onderstaand kun je mijn scanlog vinden:

Logfile of HijackThis v1.97.7
Scan saved at 17:03:32, on 27-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winli32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\System32\PRISMSTA.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\crvv32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Henk Suichies\Mijn documenten\Mijn programma's\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqnfd.dll/index.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqnfd.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mqnfd.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {398A38C5-EE42-50AD-C94F-147E8B9CC3C7} - C:\WINDOWS\winqd.dll
O2 - BHO: (no name) - {65F9563A-E178-3E64-822D-4D4C935D02B5} - C:\WINDOWS\msyp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [crvv32.exe] C:\WINDOWS\crvv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano/prog/HOL/rundum.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06515a6300000e48c405/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.1631597222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Ik heb nog geen enkel bestand van mijn PC verwijderd!!

Bij de download van HijackThis had ik Mijn Documenten als opslaanplaats aangegeven, na de installatie heb ik t bestand in een submap in Mijn Documenten gezegd (Mijn programma's), is dat voldoende om die back-ups tegen te gaan?

Ik hoefde trouwens helemaal niks te unzippen, het programma HijackThis was direct beschikbaar, kan dit kloppen? Ik heb het gedownload via:http://www.spywareinfo.com/~merijn/files/HijackThis.exe.

Als je nog dingen van mij moet weten, moet je het even zeggen. Je hebt mijn volledige medewerking!!

In ieder geval sterkte en succes ermee en alvast bedankt!!!! :thumb:

Met vriendelijke groet,

Maniac
 
Geplaatst door Önder


Uitgepakt nog steeds zelfde resultaat. ;)
Klik om te vergroten...

Voor die error vind ik:
This error code, 800A01B6 usually occurs when you execute a VBScript. My guess is that there is a typo error in one of the METHODS in your script.

Oftewel het zou een typefout moeten zijn. Maar hetzelfde script doet het bij mij wel :confused:

'RegSrch.vbs - Search Registry for input string and display results.
'© Bill James - wgjames@mvps.org
' revised 20 Apr 2001 (parses regfile ~3X faster)
' revised 13 Dec 2001 (added Regedit command line switch for Win2K/WindXP)

Option Explicit
Dim oWS : Set oWS = CreateObject("WScript.Shell")
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")

Dim sSearchFor
sSearchFor = InputBox("This script will search your Registry and find all " & _
"instances of the search string you input." & vbcrlf & vbcrlf & _
"This search could take several minutes, so please be patient." & _
vbcrlf & vbcrlf & "Enter search string (case insensitive) and " & _
"click OK...", WScript.ScriptName & " " & Chr(169) & " Bill James")

If sSearchFor = "" Then Cleanup()

Dim StartTime : StartTime = Timer

Dim sRegTmp, sOutTmp, eRegLine, iCnt, sRegKey, aRegFileLines

sRegTmp = oWS.Environment("Process")("Temp") & "\RegTmp.tmp "
sOutTmp = oWS.Environment("Process")("Temp") & "\sOutTmp" & _
Hour(Now) & Minute(Now) & Second(Now) & ".tmp "

oWS.Run "regedit /e /a " & sRegTmp, , True '/a enables export as Ansi for WinXP

With oFSO.OpenTextFile(sOutTmp, 8, True)
.WriteLine("REGEDIT4" & vbcrlf & "; " & WScript.ScriptName & " " & _
Chr(169) & " Bill James" & vbcrlf & vbcrlf & "; Registry search " & _
"results for string " & Chr(34) & sSearchFor & Chr(34) & " " & Now & _
vbcrlf & vbcrlf & "; NOTE: This file will be deleted when you close " & _
"WordPad." & vbcrlf & "; You must manually save this file to a new " & _
"location if you want to refer to it again later." & vbcrlf & "; (If " & _
"you save the file with a .reg extension, you can use it to restore " & _
"any Registry changes you make to these values.)" & vbcrlf)

With oFSO.GetFile(sRegTmp)
aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With

oFSO.DeleteFile(sRegTmp)

For Each eRegLine in aRegFileLines
If InStr(1, eRegLine, "[", 1) > 0 Then sRegKey = eRegLine
If InStr(1, eRegLine, sSearchFor, 1) > 0 Then
If sRegKey <> eRegLine Then
.WriteLine(vbcrlf & sRegKey) & vbcrlf & eRegLine
Else
.WriteLine(vbcrlf & sRegKey)
End If
iCnt = iCnt + 1
End If
Next

Erase aRegFileLines

If iCnt < 1 Then
oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
vbcrlf & vbcrlf & "No instances of " & chr(34) & sSearchFor & chr(34) & _
" found.",, WScript.ScriptName & " " & Chr(169) & " Bill James", 4096
.Close
oFSO.DeleteFile(sOutTmp)
Cleanup()
End If
.Close

End With

oWS.Popup "Search completed in " & FormatNumber(Timer - StartTime, 0) & " seconds." & _
vbcrlf & vbcrlf & iCnt & " instances of " & chr(34) & sSearchFor & chr(34) & _
" found." & vbcrlf & vbcrlf & "Click OK to open Results in WordPad.",, _
WScript.ScriptName & " " & Chr(169) & " Bill James", 4096

oWS.Run "WordPad " & sOutTmp, 3, True

oFSO.DeleteFile(sOutTmp)

Cleanup()

Sub Cleanup()
Set oWS = Nothing
Set oFSO = Nothing
WScript.Quit
End Sub

Als je het dikgedrukte als regsrch.vbs opslaat en er dan op dubbelklikt, werkt het dan wel?

Groetjes,

Pieter
 
Re: Startpagina problemen

Geplaatst door Maniac

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqnfd.dll/index.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mqnfd.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mqnfd.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mqnfd.dll/sp.html#37680

O2 - BHO: (no name) - {398A38C5-EE42-50AD-C94F-147E8B9CC3C7} - C:\WINDOWS\winqd.dll
O2 - BHO: (no name) - {65F9563A-E178-3E64-822D-4D4C935D02B5} - C:\WINDOWS\msyp32.dll

O4 - HKLM\..\Run: [crvv32.exe] C:\WINDOWS\crvv32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06515a6300000e48c405/netzip/RdxIE601.cab
Klik om te vergroten...

Hoi Maniac,

Klik Start > Uitvoeren > services.msc > OK
In de lijst met services zoek je Network security Service.
Rechtsklik en stop die service. In het rechtsklikmenu kies je daarna Eigenschappen en op het tabblad Algemeen zet je het opstarttype op Uitgeschakeld.

Sluit alle vensters behalve HijackThis.

In TaakBeheer (Ctrl-Alt-Del) beeindig je deze twee processen:
C:\WINDOWS\winli32.exe
C:\WINDOWS\crvv32.exe

Vink dan de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\winli32.exe
C:\WINDOWS\crvv32.exe
C:\WINDOWS\system32\mqnfd.dll
C:\WINDOWS\winqd.dat
C:\WINDOWS\msyp32.dat

Start daarna weer normaal op en volg de aanwijzingen hier op:
http://www.helpmij.nl/forum/showthread.php?threadid=167599

Groetjes,

Pieter
 
Hey,

Steeds als ik opstart krijg ik de melding dat windows bridge.dll niet kan vinden in de windows\downloades progrma files\.

Nu heb ik een beetje gegoogled en uitgevonden dat het spyware is.

Hier is mijn hijjack log... kan iemand mij vertellen hoe ik het van mijn pc afkrijg?

Heeft iemand verder nog tips van dingen die ik kan uitschakelen?



Logfile of HijackThis v1.97.7
Scan saved at 17:38:37, on 27-6-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\finbyud.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Familie\Bureaublad\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [bhxmlfwdolx] C:\WINDOWS\System32\finbyud.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_32\WATCH.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Ontvang alle bestanden door Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Ontvangst door Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...url]http://www.gameboy.com/sp/vp/content.html[/url]
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {0D5AAD20-C9EF-11D4-B5D3-00C04F163665} (CBSBiB.iPCRClickMap) - http://www.cbs.nl/nl/cijfers/buurt-in-beeld/klikkaart.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37620.6827893518
O16 - DPF: {B0A2C7FC-8666-44D6-A990-2FCE3B933341} (ING Bank Autorisatiescherm) - http://secure.ingbank.nl/download/DigiSign.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
 
Beste Pieter, thnx voor je check :thumb: ,

Over vorbis:

Er zitten 3 bestandjes in system 32, te weten vorbis.acm, vorbis.dll en vorbisenc.dll. Bij vorbis.acm staan verschillende dingen:

Ogg Vorbis Audio codec for MSACM
Comments:
This software is based on a code of 'libVorbis'.
Xiphophorus libVorbis I 20011231
Copyright (C)2001 Xiphophorus
company:
HMS http://hp.vector.co.jp/authors/VA012897/
Ogg Vorbis Audio codec for MSACM

Waarschijnlijk is deze meegekomen met 'ACE Mega CoDecS pack' of 'Nimo Codec Pack', voor zover ik weet heb ik daar niet veel last van gehad, maar er schijnt wel es spyware/adware bij mee te komen.
 
Laatst bewerkt:
Geplaatst door Pascal1234
Hey,

Steeds als ik opstart krijg ik de melding dat windows bridge.dll niet kan vinden in de windows\downloades progrma files\.

Nu heb ik een beetje gegoogled en uitgevonden dat het spyware is.

Hier is mijn hijjack log... kan iemand mij vertellen hoe ik het van mijn pc afkrijg?
Klik om te vergroten...
Het goeie nieuws is. het is er al af, anders had je die foutmelding niet gekregen. ;)



Heeft iemand verder nog tips van dingen die ik kan uitschakelen?

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [bhxmlfwdolx] C:\WINDOWS\System32\finbyud.exe

O4 - Startup: PowerReg Scheduler.exe
Klik om te vergroten...

Het slechte nieuws: je had nog meer zooi.

Vink de bovenstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked.

Start daarna opnieuw op in veilige modus en verwijder:
C:\WINDOWS\System32\finbyud.exe

Groetjes,

Pieter
 
Geplaatst door obliterator
Beste Pieter, thnx voor je check :thumb: ,

Over vorbis:

Er zitten 3 bestandjes in system 32, te weten vorbis.acm, vorbis.dll en vorbisenc.dll. Bij vorbis.acm staan verschillende dingen:

Ogg Vorbis Audio codec for MSACM
Comments:
This software is based on a code of 'libVorbis'.
Xiphophorus libVorbis I 20011231
Copyright (C)2001 Xiphophorus
company:
HMS http://hp.vector.co.jp/authors/VA012897/
Ogg Vorbis Audio codec for MSACM

Waarschijnlijk is deze meegekomen met 'ACE Mega CoDecS pack' of 'Nimo Codec Pack', voor zover ik weet heb ik daar niet veel last van gehad, maar er schijnt wel es spyware/adware bij mee te komen.
Klik om te vergroten...

Dat komt wel overeen met die ene die ik gevonden had:
http://www.hydrogenaudio.org/index.php?showtopic=2852&st=0&

Geen toeval dus. Die mag blijven, maar of hij echt nodig is??

Groetjes,

Pieter
 
log

Hoi, wil je men log eens nakijken?
Thx :D

Logfile of HijackThis v1.97.7
Scan saved at 17:53:21, on 27/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\TIBIA\TIBIA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.skynet.be/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skippies.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sync Manager] C:\WINDOWS\DESKTOP\TIBIAGG.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38011.3325694444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {E3802230-F0E2-4A75-9947-EAB78DD8153F} (InstallerX Class) - http://www.klikeuro.nl/cab/EasyWebInstaller.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

Alvast bedankt! :thumb:
GREETZ
Eltommo
 
Geplaatst door Pieter Arntz


Hoi Haunter,

Ga met bovenstaande gegevens verder in: http://www.helpmij.nl/forum/showthread.php?threadid=168347

Groetjes,

Pieter
Klik om te vergroten...
Het probleem is, die dll staat niet (meer) in mijn system32 map... :confused:

Hier een log...
Logfile of HijackThis v1.97.7
Scan saved at 9:06:27, on 27-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MICROSTAR\Bluetooth Software\BTTray.exe
C:\windows\System32\devldr32.exe
C:\PROGRA~1\MI43DA~1\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\windows\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\windows\System32\svchost.exe
C:\windows\system32\scagent.exe
C:\windows\system32\winlogon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab

Edit: Pieter, weet je ook toevallig hoe ik mijn cursor die aangeeft dat hij iets aan het laden is weg kan krijgen...? Ik weet wel dat het aan scagent.exe ligt, maar die toepassing kan ik niet stoppen :(
 
Laatst bewerkt:
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan