Helpmij tegen spyware offensief (deel 6)

  • Onderwerp starter Onderwerp starter m@rio
  • Startdatum Startdatum
Status
Niet open voor verdere reacties.
Re: Nog niet goed.

Geplaatst door frabans
Ik heb gisteren een log geplaatst en keurig reactie gehad hoe te handelen. Ik heb alles uitgevoerd zoals beschreven, alleen 2 files kan ik niet vinden. De verborgen bestanden staan op zichtbaar.
E:\recycler\nprotect ( map moet verwijderd worden)
C:\windows\download program files\dailyToolbar.dll (bestand moet verwijderd worden) Ik kan ze echt niet vinden.

Nadat ik opnieuw met adaware gescand heb kreeg ik weer vier register vermeldingen. Ik heb ze in quarantine gedaan en vervolgens verwijderd. Na opnieuw scannen komen ze niet meer terug.
Ik heb echter nu met Spybot gescand (versi1.3) en ik krijg 37 problemen in vier groepen t.w.

1 DSO Exploit (5 entries)
2 Daily Toolbar (14 entries)
3 Gain Dashbar (1 entrie)
4 Fun web (17 entries)

Omdat ze in het register staan heb ik niks verwijderd. Hier nogmaals mijn log. Wat kan ik doen?

Logfile of HijackThis v1.98.0
Scan saved at 19:47:28, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
....
Klik om te vergroten...


Hallo Frabans,

Ik zei gisteren toch ook al dat je de door AdAware en Spybot gevonden registerwijzigingen gewoon moet verwijderen? Dit zijn alleen maar loze verwijzingen naar spyware die niet meer op je pc actief is. Daily Toolbar, Gain Dashbar en Fun Web staan nu niet meer op je pc, maar er staan nog wel verwijzingen naar in het register. Vandaar dat ik je gisteren expliciet aanraadde nog eens met AdAware (maar Spybot mag ook, of met allebei) te scannen en alles wat gevonden werd te verwijderen. Je log is keurig nu, alleen die verwijzingen in het register moeten nog even weg en dat kun je met AdAware en Spybot doen. Niet bang zijn, gewoon verwijderen wat gevonden wordt. Alleen die DSO-exploit meldingen van Spybot kun je negeren, dat is namelijk een foutje van Spybot.


Groetjes,

Buffy
 
Re: Re: Re: Re: Re: Re: heinzfaust

Geplaatst door Heinzfaust


Hier is de nieuwe:

Logfile of HijackThis v1.98.0
Scan saved at 20:13:07, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
.....
Klik om te vergroten...


Keurig!:thumb:
 
Dotter

Geplaatst door Dotter
Willen jullie even naar dit log kijken?
Windows mediaplayer werkte niet meer; in program files stond ie nog, maar startte niet meer op. Wel stond er MPlayer2.exe bij, die wel opstartte.
Na het draaien van Adaware (vond idd een verwijzing naar Windows Media Player) is het icoontje rechts onder in de taakbalk verdwenen en in Program Files staat alleen nog MPlayer2.exe. Lijkt er dus op dat Windows Media Player corrupt/gekaapt of weet ik wat is :-(
Wat voor rare dingen vinden jullie?

Logfile of HijackThis v1.98.0
Scan saved at 19:39:22, on 19-7-2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
.....
Klik om te vergroten...


Hallo Dotter,

Ik zie niets bijzonders. Misschien moet je WMP even opnieuw installeren?


Groetjes,

Buffy
 
Logfile of HijackThis v1.97.7
Scan saved at 14:48:50, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trust\302KS\Mouse\mouse32a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\st.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Trust\302KS\Keyboard\KbdAp32A.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {71B1C71F-2646-49F5-9D9D-D09F539CB46E} - (no file)
O2 - BHO: (no name) - {73E92708-CAA5-4B70-8CD7-79241FB808FE} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E15B575F-0619-4B90-9B4A-C6FC52E95969} - (no file)
O2 - BHO: (no name) - {E3BD14BF-3150-4EBF-A2AB-97424F451AB5} - (no file)
O2 - BHO: (no name) - {EBD4DEC3-00AF-4AC0-8FB8-BC8D3A894E57} - C:\WINDOWS\System32\gnbh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Documents and Settings\Arnout\Local Settings\Temp\norton antivirus 2003\AdvTools\AdvChk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ORBsetup.exe] D:\MYSHAR~1\ORBsetup.exe /r
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar...vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup...mAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab
 
Mijn dank is bijzonder groot

Beste beste medewerkers Hans, Buffy en Wim (en als ik er een gemist heb in alle berichten van vandaag dan ook hen)

De boel loopt al een stuk sneller en mijn dank is groot.

Groetjes Wilma:love:
 
Geplaatst door scotty007
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Arnout\LOCALS~1\Temp\sp.html

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {71B1C71F-2646-49F5-9D9D-D09F539CB46E} - (no file)
O2 - BHO: (no name) - {73E92708-CAA5-4B70-8CD7-79241FB808FE} - (no file)
O2 - BHO: (no name) - {E15B575F-0619-4B90-9B4A-C6FC52E95969} - (no file)
O2 - BHO: (no name) - {E3BD14BF-3150-4EBF-A2AB-97424F451AB5} - (no file)
O2 - BHO: (no name) - {EBD4DEC3-00AF-4AC0-8FB8-BC8D3A894E57} - C:\WINDOWS\System32\gnbh.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Klik om te vergroten...

Hi Scotty,

Check all above in HijackThis, close all windows except HijackThis and press "Fix Checked"

Reboot into safe mode, and delete:
C:\WINDOWS\System32\netdc.exe <<file
C:\WINDOWS\System32\gnbh.dll << file

Empty your temp files by using Disk Cleaner

After all, reboot into normal mode, make a new HijackThis log and post it here.

Edit:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
Klik om te vergroten...

U'll say you are English????
 
Laatst bewerkt:
Re: Mijn dank is bijzonder groot

Geplaatst door wilmaM
Beste beste medewerkers Hans, Buffy en Wim (en als ik er een gemist heb in alle berichten van vandaag dan ook hen)

De boel loopt al een stuk sneller en mijn dank is groot.

Groetjes Wilma:love:
Klik om te vergroten...

Dat is geweldig :thumb:
 
Hallo Dotter, Ik zie niets bijzonders. Misschien moet je WMP even opnieuw installeren?

Groetjes,

Buffy

Bedankt, dan is er dus niets vreemds in mijn log. Fijn om te weten.
Ik zal idd maar even opnieuw installeren
 
Hierbij nogmaals mijn logbook, maar kon "O2 - BHO: (no name) - {EBD4DEC3-00AF-4AC0-8FB8-BC8D3A894E57} - C:\WINDOWS\System32\gnbh.dll " niet vinden en in safe start niet verwijderen de rest wel!!

Logfile of HijackThis v1.97.7
Scan saved at 21:22:29, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trust\302KS\Mouse\mouse32a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Trust\302KS\Keyboard\KbdAp32A.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {7AA1D0AE-DA63-4CE4-B0BB-DB39D3B73203} - C:\WINDOWS\System32\mdiafcb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Documents and Settings\Arnout\Local Settings\Temp\norton antivirus 2003\AdvTools\AdvChk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ORBsetup.exe] D:\MYSHAR~1\ORBsetup.exe /r
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4376/mcfscan.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab


Trouwens bedankt voor je snelle reactie!!

Scott

PS. kan ik wanneer probleem is opgelost mijn map hijackthis verwijderen met back-up bestanden erin? Bedankt!
 
gescanned met ad-aware

Logfile of HijackThis v1.98.0
Scan saved at 8:45:34, on 17-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mssm.exe
C:\WINDOWS\atlqr32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\zmpkfwgg.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {4F68D379-A552-6CBC-1C98-D30E630A4F43} - C:\WINDOWS\system32\appoh32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [powluxn] C:\WINDOWS\System32\zmpkfwgg.exe
O4 - HKLM\..\Run: [atlqr32.exe] C:\WINDOWS\atlqr32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [mssm.exe] C:\WINDOWS\system32\mssm.exe
O4 - HKLM\..\RunOnce: [appmg32.exe] C:\WINDOWS\appmg32.exe
O4 - HKLM\..\RunOnce: [addqu32.exe] C:\WINDOWS\system32\addqu32.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\crow32.exe
O4 - HKLM\..\RunOnce: [mfcio32.exe] C:\WINDOWS\system32\mfcio32.exe
O4 - HKLM\..\RunOnce: [javask32.exe] C:\WINDOWS\system32\javask32.exe
O4 - HKLM\..\RunOnce: [appaj.exe] C:\WINDOWS\appaj.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17de158676701f45d505/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

help me a.u.b.
 
Geplaatst door scotty007
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: (no name) - {7AA1D0AE-DA63-4CE4-B0BB-DB39D3B73203} - C:\WINDOWS\System32\mdiafcb.dll
Klik om te vergroten...

Had ff eerder gezegd dat je NL was, scheelt voor mij ook weer moeite.

1) Vink bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix Checked.

2) Start opnieuw op in veilige modus, en verwijder, mochten ze nog aanwezig zijn:
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\mdiafcb.dll

3) Start nu weer opnieuw op in normale modus.

Waarom zou je de map met HijackThis verwijderen? is maar een paar honderd KB?!
 
Je hebt gelijk, niet erg groot!
Alles werkt weer:

-geen popups.
-normale homepage.
-Geen Trojans!!!!

Dankje voor je tijd EN kennis!

Scott
 
Geplaatst door debende
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {4F68D379-A552-6CBC-1C98-D30E630A4F43} - C:\WINDOWS\system32\appoh32.dll

O4 - HKLM\..\Run: [powluxn] C:\WINDOWS\System32\zmpkfwgg.exe
O4 - HKLM\..\Run: [atlqr32.exe] C:\WINDOWS\atlqr32.exe
O4 - HKLM\..\RunOnce: [mssm.exe] C:\WINDOWS\system32\mssm.exe
O4 - HKLM\..\RunOnce: [appmg32.exe] C:\WINDOWS\appmg32.exe
O4 - HKLM\..\RunOnce: [addqu32.exe] C:\WINDOWS\system32\addqu32.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\crow32.exe
O4 - HKLM\..\RunOnce: [mfcio32.exe] C:\WINDOWS\system32\mfcio32.exe
O4 - HKLM\..\RunOnce: [javask32.exe] C:\WINDOWS\system32\javask32.exe
O4 - HKLM\..\RunOnce: [appaj.exe] C:\WINDOWS\appaj.exe
Klik om te vergroten...

Hoi debende,

1) Vink bovenstaande aan in HijackThis, sluit alle vensters behalve HijackThis en klik op Fix Checked.

2) Start opnieuw op in veilige modus, en verwijder de bestanden:
C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\twaintec.dll
C:\WINDOWS\system32\appoh32.dll
C:\WINDOWS\System32\zmpkfwgg.exe
C:\WINDOWS\atlqr32.exe
C:\WINDOWS\system32\mssm.exe
C:\WINDOWS\appmg32.exe
C:\WINDOWS\system32\addqu32.exe
C:\WINDOWS\crow32.exe
C:\WINDOWS\system32\mfcio32.exe
C:\WINDOWS\system32\javask32.exe
C:\WINDOWS\appaj.exe

3) Start weer op in normale modus, en draai BitDefender en TrendMicro

4) Reboot nogmaals, maak een nieuw logje aan en post dat hier.
 
Hoi,

Van een vriend een computer met allerlei probleempjes, o.a. ook weer eens my web search wat niet te verwijderen is. De log is:

Groeten,

Bert Jan

Logfile of HijackThis v1.97.7
Scan saved at 21:43:46, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\mealaimscr\Multi City Soft.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\SpecialOffers.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sebastiaan\Bureaublad\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>;localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nu.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EE1021D-67DB-8416-78D2-55867607648F} - C:\PROGRA~1\RoadHide\EncGrey.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\nl\msntb.dll
O3 - Toolbar: Ref Ante Third - {D578F9F6-33E4-CD03-6F76-CDF1BCA446C1} - C:\PROGRA~1\RoadHide\EncGrey.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Dash upload] C:\PROGRA~1\mealaimscr\Multi City Soft.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [Wanadoo Menu] C:\Program Files\Wanadoo\NL\Mnu\IGOMNU.EXE /S:T
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpecialOffers] C:\WINDOWS\SpecialOffers.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23b2b94751f7cd2f3306/netzip/RdxIE601.cab
O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.3040509259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
 
debende

Geplaatst door debende

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kswcf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kswcf.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kswcf.dll/index.html#96676
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {4F68D379-A552-6CBC-1C98-D30E630A4F43} - C:\WINDOWS\system32\appoh32.dll

O4 - HKLM\..\Run: [atlqr32.exe] C:\WINDOWS\atlqr32.exe
O4 - HKLM\..\RunOnce: [mssm.exe] C:\WINDOWS\system32\mssm.exe
O4 - HKLM\..\RunOnce: [appmg32.exe] C:\WINDOWS\appmg32.exe
O4 - HKLM\..\RunOnce: [addqu32.exe] C:\WINDOWS\system32\addqu32.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\crow32.exe
O4 - HKLM\..\RunOnce: [mfcio32.exe] C:\WINDOWS\system32\mfcio32.exe
O4 - HKLM\..\RunOnce: [javask32.exe] C:\WINDOWS\system32\javask32.exe
O4 - HKLM\..\RunOnce: [appaj.exe] C:\WINDOWS\appaj.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

help me a.u.b.
Klik om te vergroten...


Hallo debende,


Voer éérst de verwijderinstructies uit die je vindt in het eerste bericht op de volgende pagina: http://www.wilderssecurity.com/showthread.php?t=28658&page=2&pp=25. Is dat gelukt, maak en plaats dan een nieuw HijackThis-log zodat we de rest van de bende op jouw pc kunnen opruimen.


Groetjes,

Buffy
 
BJBD

Geplaatst door BJBD

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mysearchnow.com/passthrough/index.html?[url]http://www.microsoft.com/isapi/redir.dll?prd=[/url]
{SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0EE1021D-67DB-8416-78D2-55867607648F} - C:\PROGRA~1\RoadHide\EncGrey.dll

O3 - Toolbar: Ref Ante Third - {D578F9F6-33E4-CD03-6F76-CDF1BCA446C1} - C:\PROGRA~1\RoadHide\EncGrey.dll

O4 - HKLM\..\Run: [Dash upload] C:\PROGRA~1\mealaimscr\Multi City Soft.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [SpecialOffers] C:\WINDOWS\SpecialOffers.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/23b2b94751f7cd2f3306/netzip/RdxIE601.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll
Klik om te vergroten...



Hallo BJBD,


1. Download CWShredder alvast, maar gebruik het nog niet.

2. Scan opnieuw met HijackThis, vink alle bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix Checked".

3. Draai nú CWShredder. Gebruik de "Fix" knop en let goed op de aanwijzingen die het programma geeft. (Het zou kunnen dat niets meer gevonden wordt.)

4. Herstart de pc in veilige modus. Als je niet weet hoe dat moet, kijk dan hier: klik

Zorg in de Verkenner, via Extra -> Mapopties -> Weergave, dat verborgen bestanden en mappen worden weergegeven.

Verwijder nu, in veilige modus dus, de volgende bestanden en mappen (voor zover nog aanwezig):

C:\PROGRA~1\mealaimscr <- die hele map
C:\WINDOWS\System32\P2P Networking <- hele map
C:\PROGRA~1\RoadHide <- die hele map

C:\WINDOWS\SpecialOffers.exe <- dat bestand

5. Herstart de pc in 'normale modus'.


Groetjes,

Buffy
 
Laatst bewerkt:
Hey Pieter,
op advies van Buffy plaats ik hier mijn Hijackthislog. Wil jij daar (weer) eens naar kijken?
En weet jij hoe ik dit soort grappen van waarschijnlijk MyWebSearch kan voorkomen?
Groetjes,
Rudi Wissink.


Logfile of HijackThis v1.97.7
Scan saved at 22:53:19, on 19-07-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\FORBEE~1\multi upload skip.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\SpywareGuard\spywareguardcp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rudi\Local Settings\Temp\Tijdelijke map 3 voor hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/webhp?sourceid=navclient&hl=nl&ie=UTF-8&oe=UTF-8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer van Rudi Wissink
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E2442569-C048-0C09-9B99-4C21088EFD98} - C:\PROGRA~1\STOPLI~1\bore plus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: draw info - {095D663C-1181-8F25-9331-0470AFDA4F00} - C:\PROGRA~1\STOPLI~1\bore plus.dll
O4 - HKLM\..\Run: [WpsRePsw] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AudioBags] C:\PROGRA~1\FORBEE~1\multi upload skip.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Figuur openen in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1043\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.nl
O16 - DPF: DigiChat Applet - http://host9.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ebmsg04.saxion.nl/iNotes.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {5B27C20D-FFB6-4054-BA78-DE4A059BC75A} (Microsoft Office Template Downloader) - http://www.office.microsoft.com/dutch/TemplateGallery/msotd.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.0289351852
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712...com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {E15111B0-95AE-4C05-B91F-F4564057990C} (MovieSystem WAY) - http://servicesv4.moviesystem.com/cabs/msway.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
 
Vervelende startpagina's

Dag Allemaal,

Ik heb maar weinig verstand van computers. Ben hier terecht gekomen door een tip van de mensen van het programma 'De harde schijf' van RTVNoord. Ik heb last van hardnekkige, vervelende en ongewenste startpagina's. Hieronder plak ik mijn HijackThislog met de vraag aan jullie wat ik moet verwijderen, en wat niet!

Alvast bedankt!

Logfile of HijackThis v1.97.7
Scan saved at 22:57:52, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\srv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
C:\Program Files\Personal Backup\PersBackup.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\DOCUME~1\mama\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\IEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PersBackup.lnk = C:\Program Files\Personal Backup\PersBackup.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65FB2678-2B4D-4666-9FEE-E137FFE7A94E}: NameServer = 195.121.1.34 195.121.1.66
 
Nierdonor

Geplaatst door Nierdonor

O2 - BHO: (no name) - {E2442569-C048-0C09-9B99-4C21088EFD98} - C:\PROGRA~1\STOPLI~1\bore plus.dll

O3 - Toolbar: draw info - {095D663C-1181-8F25-9331-0470AFDA4F00} - C:\PROGRA~1\STOPLI~1\bore plus.dll

O4 - HKLM\..\Run: [AudioBags] C:\PROGRA~1\FORBEE~1\multi upload skip.exe
Klik om te vergroten...



Hallo Nierdonor,


Ik bedoelde in die andere topic niet MyWebSearch maar MySearchNow. Mijn excuses daarvoor. Pieter concentreert zich momenteel trouwens op andere zaken dan het analyseren van HijackThis-logs, dus je zult het met mijn advies moeten doen.


1. Maak een map voor HijackThis en plaats het programma daarin. Je draait het programma nu vanuit een tijdelijke map en op die manier raken de back-ups gemakkelijk zoek.

2. Scan opnieuw met HijackThis, vink alle bovenstaande items (zie quote) aan, sluit alle vensters behalve HijackThis zelf en klik op "Fix Checked".

3. Herstart de pc in veilige modus. Als je niet weet hoe dat moet, kijk dan hier: klik

Zorg in de Verkenner, via Extra -> Mapopties -> Weergave, dat verborgen bestanden en mappen worden weergegeven.

Verwijder nu, in veilige modus dus, de volgende mappen:

C:\PROGRA~1\FORBEE~1\multi upload skip.exe <- d.w.z. die hele map waar "multi upload skip.exe" in zit
C:\PROGRA~1\STOPLI~1\bore plus.dll <- d.w.z. die hele map waar "bore plus.dll" in zit

4. Herstart de pc in 'normale modus'.

5. Hoe je dit kunt voorkomen? Ik zie dat je SpywareGuard al geïnstalleerd hebt; dan is het waarschijnlijk dat je SpywareBlaster ook al hebt. Maar dan nog moet je gewoon goed opletten wat je allemaal downloadt en installeert en waarmee je precies akkoord gaat bij de installatie van programma's. Als je goed opgelet had bij de installatie van Messenger Plus 3, had de rommel die je nu moet verwijderen niet op je pc gestaan.


Groetjes,

Buffy
 
Hoi Buffy,

Je tips van gisteravond (in de loop van pagina 72) geprobeerd uit te voeren. Dat is maar ten dele gelukt, maar waarschijnlijk wel voldoende om het ongedierte uit te roeien.
Volgens appinnit ging het inderdaad om de al bekende logphf.dll, maar bij hiving.bat was niets zichtbaar. Ook kon ik genoemd dll bestand nergens in mijn system32 map vinden.

Edoch, na opnieuw opstarten met de internetstekker erin zag ik in mijn adawarescan dat er nu 2 processen minder lopen dan eerst en ook ben ik de nortonmeldingen die mijn bureaublad opfleurden gelukkig kwijt.
Ook in mijn HJT-log staat dat zaakje niet meer onder 020.

'k Heb mijn log toch maar even bijgevoegd. Volgens mij staat er niks raars meer in.

Logfile of HijackThis v1.98.0
Scan saved at 23:42:30, on 19-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\FILTER~1\filtergate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\twain_32\SCSI600\WATCH.EXE
C:\MSCAN\Msoffice\panel.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis 1.98\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\SCSI600\WATCH.EXE
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\Program Files\IEimage\IEimage.htm
O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - C:\Program Files\IEimage\IEimage.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Thnxs 4ever
 
Status
Niet open voor verdere reacties.
                    Steun ons                    

Nieuwste berichten

Terug
Bovenaan Onderaan